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Abstract 

The logic of equality with uninterpreted functions (EUF) provides a means of abstracting 
the manipulation of data by a processor when verifying the correctness of its control logic. By 
reducing formulas in this logic to propositional formulas, we can apply Boolean methods such 
as Ordered Binary Decision Diagrams (BDDs) and Boolean satisfiability checkers to perform 
the verification. 

We can exploit characteristics of the formulas describing the verification conditions to 
greatly simplify the propositional formulas generated. We identify a class of terms we call "p- 
terms" for which equality comparisons can only be used in monotonically positive formulas. 
By applying suitable abstractions to the hardware model, we can express the functionality of 
data values and instruction addresses flowing through an instruction pipeline with p-terms. A 
decision procedure can exploit the restricted uses of p-terms by considering only "maximally 
diverse" interpretations of the associated function symbols, where every function application 
yields a different value except when constrained by functional consistency. 

We present two methods to translate formulas in EUF into propositional logic. The first 
interprets the formula over a domain of fixed-length bit vectors and uses vectors of propo- 
sitional variables to encode domain variables. The second generates formulas encoding the 
conditions under which pairs of terms have equal valuations, introducing propositional vari- 
ables to encode the equality relations between pairs of terms. Both of these approaches can 
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exploit maximal diversity to greatly reduce the number of propositional variables that need to 
be introduced and to reduce the overall formula sizes. 

We present experimental results demonstrating the efficiency of this approach when veri- 
fying pipelined processors using the method proposed by Burch and Dill. Exploiting positive 



equality allows us to overcome the exponential blow-up experienced previously QVB98[ ] when 
verifying microprocessors with load, store, and branch instructions. 

Keywords: Formal verification, Processor verification, Uninterpreted functions, Decision 
procedures 



1 Introduction 

For automatically reasoning about pipelined processors, Burch and Dill demonstrated the value 
of using propositional logic, extended with uninterpreted functions, uninterpreted predicates, and 
the testing of equality [ BD94J ]. Their approach involves abstracting the data path as a collection 
of registers and memories storing data, units such as ALUs operating on the data, and various 
connections and multiplexors providing methods for data to be transferred and selected. The initial 
state of each register is represented by a domain variable indicating an arbitrary data value. The 
operation of units that transform data is abstracted as blocks computing functions with no specified 
properties other than functional consistency, i.e., that applications of a function to equal arguments 
yield equal results: x = y => f(x) = f(y). The state of a register at any point in the computation 
can be represented by a symbolic term, an expression consisting of a combination of domain 
variables, function and predicate applications, and Boolean operations. Verifying that a pipelined 
processor has behavior matching that of an unpipelined instruction set reference model can be 
performed by constructing a formula in this logic that compares for equality the terms describing 
the results produced by the two models and then proving the validity of this formula. 

In their 1994 paper, Burch and Dill also described the implementation of a decision procedure for 
this logic based on theorem proving search methods. Their procedure builds on ones originally 
described by Shostak QSho79| ] and by Nelson and Oppen QNO80| ], using combinatorial search 



coupled with algorithms for maintaining a partitioning of the terms into equivalence classes based 
on the equalities that hold at a given step of the search. More details of their decision procedure 
are given in [ |)DB95H . 



Burch and Dill's work has generated considerable interest in the use of uninterpreted functions to 
abstract data operations in processor verification. A common theme has been to adopt Boolean 
methods, either to allow integration of uninterpreted functions into symbolic model checkers 
[ pPR98| , [BBCZ98Q , or to allow the use of Binary Decision Diagrams (BDDs) [ |Bry86| ] in the 



decision procedure QHKGB97| , pSZAS98| , |VB98| ]. Boolean methods allow a more direct mod- 



eling of the control logic of hardware designs and thus can be applied to actual processor designs 
rather than highly abstracted models. In addition to BDD-based decision procedures, Boolean 
methods could use some of the recently developed satisfiability procedures for propositional logic. 



In principle, Boolean methods could outperform decision procedures based on theorem proving 
search methods, especially when verifying processors with more complex control logic, e.g., due 
to superscalar or out-of-order operation. 

Boolean methods can be used to decide the validity of a formula containing terms and uninterpreted 
functions by interpreting the formula over a domain of fixed-length bit vectors. Such an approach 
exploits the property that a given formula contains a limited number of function applications and 
therefore can be proved to be universally valid by considering its interpretation over a sufficiently 
large, but finite domain QAck54fl . If a formula contains a total of m function applications, then the 
set of all bit vectors of length k forms an adequate domain for k > log 2 m. The formula to be 
verified can be translated into one in propositional logic, using vectors of propositional variables 
to encode the possible values generated by function applications QHKGB97[]. Our implementation 



of such an approach [ |VB98[ ] as part of a BDD-based symbolic simulation system was successful at 
verifying simple pipelined data paths. We found, however, that the computational resources grew 
exponentially as we increased the pipeline depth. Modeling the interactions between successive 
instructions flowing through the pipeline, as well as the functional consistency of the ALU results, 
precludes having an ordering of the variables encoding term values that yields compact BDDs. 
Similarly, we found that extending the data path to a complete processor by adding either load 
and store instructions or instruction fetch logic supporting jumps and conditional branches led to 
impossible BDD variable ordering requirements. 

Goel et al. QGSZAS981 ] present an alternate approach to using BDDs to decide the validity of 



formulas in the logic of equality with uninterpreted functions. In their formulation they introduce 
a propositional variable e^ for each pair of function application terms Tj and Tj, expressing the 
conditions under which the two terms are equal. They add constraints expressing both functional 
consistency and the transitivity of equality among the terms. Their experimental results were 
also somewhat disappointing. For all previous methods of reducing EUF to propositional logic, 
Boolean methods have not lived up to their promise of outperforming ones based on theorem 
proving search. 

In this paper, we show that the characteristics of the formulas generated when modeling processor 
pipelines can be exploited to greatly reduce the number of propositional variables that are intro- 
duced when translating the formula into propositional logic. We distinguish a class of terms we 
call p-terms for which equality comparisons can be used only in monotonically positive formulas. 
Such formulas are suitable for describing the top-level correctness condition, but not for modeling 
any control decisions in the hardware. By applying suitable abstractions to the hardware model, 
we can express the functionality of data values and instruction addresses with p-terms. 

A decision procedure can exploit the restricted uses of p-terms by considering only "maximally 
diverse" interpretations of the associated "p-function" symbols, where every function application 
yields a different value except when constrained by functional consistency. We present a method 
of transforming a formula containing function applications into one containing only domain vari- 



ables that differs from the commonly-used method described by Ackermann [ |Ack54| ]. Our method 



allows a translation into propositional logic that uses vectors with fixed bit patterns rather than 



propositional variables to encode domain variables introduced while eliminating p-function ap- 
plications. This reduction in propositional variables greatly simplifies the BDDs generated when 
checking tautology, often avoiding the exponential blow-up experienced by other procedures. Al- 
ternatively, we can use a encoding scheme similar to Goel et al. QGSZAS981 ], but with many of the 



ei j values set to false rather than to Boolean variables. 



Others have recognized the value of restricting the testing of equality when modeling the flow 
of data in pipelines. Berezin et al. QBBCZ98]] generate a model of an execution unit suitable 



for symbolic model checking in which the data values and operations are kept abstract. In our 
terminology, their functional terms are all p-terms. They use fixed bit patterns to represent the 
initial states of registers, much as we replace p-term domain variables by fixed bit patterns. To 
model the outcome of each program operation, they generate an entry in a "reference file" and 
refer to the result by a pointer to this file. These pointers are similar to the bit patterns we generate 
to denote the p-function application outcomes. This paper provides an alternate, and somewhat 
more general view of the efficiency gains allowed by p-terms. 

Damm et al. consider an even more restricted logic such that in the terms describing the computed 
result, no function symbol is applied to a term that already contains the same symbol. As a conse- 
quence, they can guarantee that an equality between two terms holds universally if it holds holds 
over the domain {0, 1} and with function symbols having four possible interpretations: constant 
functions or 1, and projection functions selecting the first or second argument. They can there- 
fore argue that verifying an execution unit in which the data path width is reduced to a single bit 
and in which the functional units implement only four functions suffices to prove its correctness 
for all possible widths and functionalities. Their work imposes far greater restrictions than we 
place on p-terms, but it allows them to bound the domain that must be considered to determine 
universal validity independently from the formula size. 

In comparison to both of these other efforts, we maintain the full generality of the unrestricted 
terms of Burch and Dill while exploiting the efficiency gains possible with p-terms. In our proces- 
sor model, we can abstract register identifiers as unrestricted terms, while modeling program data 
and instruction data as p-terms. As a result, our verifications cover designs with arbitrarily many 



registers. In contrast, both [ JBBCZ98Q and QDPR98| ] used bit encodings of register identifiers and 



were unable to scale their verifications to a realistic number of registers. 

In a recent paper, Pnueli, et al. [ PRSS99J ] also propose a method to exploit the polarity of the equa- 
tions in a formula containing uninterpreted functions with equality. They describe an algorithm to 
generate a small domain for each domain variable such that the universal validity of the formula 
can be determined by considering only interpretations in which the variables range over their re- 
stricted domains. A key difference of their work is that they examine the equation structure after 
replacing all function application terms with domain variables and introducing functional consis- 



tency constraints as described by Ackermann QAck54| ] . These consistency constraints typically 



contain large numbers of equations — far more than occur in the original formula — that mask the 
original p-term structure. As an example, comparing the top and bottom parts of Figure |6| illus- 
trates the large number of equations that may be generated when applying Ackermann's method. 



term ::= ITE(formula, term, term) 

| function-symbol(term, . . . , term) 

formula ::= true | false | -^formula 

| (formula A formula) | (formula V formula) 

| (term = term) 

| predicate-symbol(term, . . . , term) 

Figure 1 : Syntax Rules for the Logic of Equality with Uninterpreted Functions (EUF) 

By contrast, our method is based on the original formula structure. In addition, we use a new 
method of replacing function application terms with domain variables. Our scheme allows us to 
exploit maximal diversity by assigning fixed values to the domain variables generated while ex- 
panding p-function application terms. Quite possibly, a variant of their method could be used to 
generate a small domain for each of the other variables in the formula. 

The remainder of the paper is organized as follows. We define the syntax and semantics of our 
logic by extending that of Burch and Dill's. We describe a simple procedure for automatically 
converting a formula from Burch and Dill's logic to ours. We prove our central result concerning 
the need to consider only maximally diverse interpretations when deciding the validity of formulas 
in our logic. As a first step in transforming our logic into propositional logic, we describe a new 
method of eliminating function application terms in a formula. Building on this, we describe two 
methods of translating formulas into propositional logic and show how these methods can exploit 
the properties of p-terms. We discuss the abstractions required to model processor pipelines in our 
logic. Finally, we present experimental results showing our ability to verify a simple, but complete 
pipelined processor. More complete details on an implementation that has successfully verified 
several superscalar processor designs are presented in [|VB99[]. 



2 Logic of Equality with Uninterpreted Functions (EUF) 



The logic of Equality with Uninterpreted Functions (EUF) presented by Burch and Dill [ pD94| ] 



can be expressed by the syntax given in Figure |T} In this logic, formulas have truth values while 
terms have values from some arbitrary domain. Terms are formed by application of uninterpreted 
function symbols and by applications of the ITE (for "if-then-else") operator. The ITE operator 
chooses between two terms based on a Boolean control value, i.e., ITE(true, x\, £2) yields x\ 
while ITE(false, xi, X2) yields X2. Formulas are formed by comparing two terms with equality, 
by applying an uninterpreted predicate symbol to a list of terms, and by combining formulas using 



Form E 


Valuation I[E] 


true 
false 

F X AF 2 

p(Ti,...,T fc ) 

T l = T 2 


true 
false 

-,I[F] 
/[Fx] A I[F 2 ] 

/(pK/pi],...,/^]) 

I[Ti] = /[T 2 ] 


HE(F,T U T 2 ) 
f(T u ...,T k ) 


/(/)(/[r 1 ],...,/[r*]) 



Table 1 : Evaluation of EUF Formulas and Terms 



Boolean connectives. A formula expressing equality between two terms is called an equation. We 
use expression to refer to either a term or a formula. 

Every function symbol / has an associated order, denoted ord(f), indicating the number of terms 
it takes as arguments. Function symbols of order zero are referred to as domain variables. We use 
the shortened form v rather than vQ to denote an instance of a domain variable. Similarly, every 
predicate p has an associated order ord(p) . Predicates of order zero are referred to as propositional 
variables, and can be written a rather than o(). 

The truth of a formula is defined relative to a nonempty domain V of values and an interpretation 
I of the function and predicate symbols. Interpretation I assigns to each function symbol of 
order k a function from V k to V, and to each predicate symbol of order k a function from V k to 
{true, false}. For the special case of order symbols, i.e., domain (respectively, propositional) 
variables, the interpretation assigns an element of V (resp., {true, false}.) Given an interpretation 
I of the function and predicate symbols and an expression E, we can define the valuation of E 
under /, denoted I[E], according to its syntactic structure. The valuation is defined recursively, as 
shown in Table []]. I[E] will be an element of the domain when E is a term, and a truth value when 
E is a formula. 

A formula F is said to be true under interpretation I when I[F] = true. It is said to be valid over 
domain V when it is true over domain V for all interpretations of the symbols in F. F is said to 
be universally valid when it is valid over all domains. A basic property of validity is that a given 
formula is valid over a domain V iff it is valid over all domains having the same cardinality as V. 
This follows from the fact that a given formula has the same truth value in any two isomorphic 
interpretations of the symbols in the formula. Another property of the logic, which can be readily 
shown, is that if F is valid over a suitably large domain, then it is universally valid [ |Ack54| ]. In 
particular, it suffices to have a domain as large as the number of syntactically distinct function 
application terms occurring in F. We are interested in decision procedures that determine whether 
or not a formula is universally valid; we will show how to do this by dynamically constructing a 
sufficiently large domain as the formula is being analyzed. 



g-term ::= ITE(g-formula,g-term,g-term) 

| g-function-symbol(p-term, . . . ,p-term) 

p-term ::= g-term 

| ITE(g-formula, p-term, p-term) 

| p-function-symbol(p-term, . . . , p-term) 

g-formula ::= true | false | -ig-formula 

| (g-formula A g-formula) \ (g-formula V g-formula) 

| (g -term = g-term) 

| predicate-symbol(p-term, . . . , p-term) 

p-formula ::= g-formula 

| (p-formula A p-formula) \ (p-formula V p-formula) 
| (p-term = p-term) 



Figure 2: Syntax Rules for the Logic of Positive Equality with Uninterpreted Functions (PEUF) 

3 Positive Equality with Uninterpreted Functions (PEUF) 

We can improve the efficiency of validity checking by treating positive and negative equations 
differently when reducing EUF to propositional logic. Informally, an equation is positive if it does 
not appear negated in a formula. In particular, a positive equation cannot appear as the formula 
that controls the value of an ITE term; such formulas are considered to appear both positively and 
negatively. 



3.1 Syntax 

PEUF is an extended logic based on EUF; its syntax is shown in Figure ||. The main idea is 
that there are two disjoint classes of function symbols, called p-function symbols and g-function 
symbols, and two classes of terms. 

General terms, or g-terms, correspond to terms in EUF. Syntactically, a g-term is a g-function 
application or an ITE term in which the two result terms are hereditarily built from g-function 
applications and ITEs. 

The new class of terms is called positive terms, or p-terms. P-terms may not appear in negated 
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Figure 3: Schematic Representation of F ct 
values are shown as dashed lines. 



Domain values are shown as solid lines, while truth 



equations, i.e., equations within the scope of a logical negation. Since p-terms can contain p- 
function symbols, the syntax is restricted in a way that prevents p-terms from appearing in negative 
equations. When two p-terms are compared for equality, the result is a special, restricted kind of 
formula called a p-formula. 

Note that our syntax allows any g-term to be "promoted" to a p-term. Throughout the syntax 
definition, we require function and predicate symbols to take p-terms as arguments. However, 
since g-terms can be promoted, the requirement to use p-terms as arguments does not restrict the 
use of g-function symbols or g-terms. In essence, g-function symbols may be used as freely in our 
logic as in EUF, but the p-function symbols are restricted. To maintain the restriction on p-function 
symbols, the syntax does not permit a p-term to be promoted to a g-term. 

A g-formula is a Boolean combination of equations on g-terms and applications of predicate sym- 
bols. G-formulas in our logic serve as Boolean control expressions in ITE terms. A g-formula can 
contain negation, and ITE implicitly negates its Boolean control, so only g-terms are allowed in 
equations in g-formulas. 

Finally, the syntactic class p-formula is the class for which we develop validity checking methods, 
p-formulas are built up using only the monotonically positive Boolean operations A and V. P- 
formulas may not be placed under a negation sign and cannot be used as the control for an ITE 
operation. As described in later sections, our validity checking methods will take advantage of the 
assumption that in p-formulas, the p-terms cannot appear in negative equations. 

As a running example for this paper, we consider the formula x = y =>- h(g(x),g(g(x))) = 
h(g(y), g(g(x))), which would be transformed into a p-formula F eg by eliminating the implica- 
tion: 



eg 



{x = y) V h(g{x),g(g(x))) = h(g(y),g(g(x))) 



(1) 



Domain variables x and y must be g-function symbols so that we can consider the equation x = y 
to be a g-formula, and hence it can be negated to give g-formula ~^{x = y). We can promote the g- 



8 



terms x and y to p-terms, and we can consider function symbols g and h to be p-function symbols, 
giving p-terms g{x), g{y), g{g{x)), h(g(x),g{g{x))), and h(g(y),g(g(x))). Thus, the equation 
h(g(x),g(g(x))) = h(g(y),g(g(x))) is a p-formula. We form the disjunction of this p-formula 
with the p-formula obtained by promoting ->(x — y) giving p-formula F eg . 

Figure ^] shows a schematic representation of F cg , using drawing conventions similar to those 
found in hardware designs. That is, we view domain variables as inputs (shown along bottom) to 
a network of operators. Domain values are denoted with solid lines, while truth values are denoted 
with dashed lines. The top-level formula then becomes the network output, shown on the right. 
The operators in the network are shared whenever possible. This representation is isomorphic to 
the traditional directed acyclic graph (DAG) representation of an expression, with maximal sharing 
of common subexpressions. 



3.2 Extracting PEUF from EUF 

Observe that PEUF does not extend the expressive power of EUF — we could translate any PEUF 
expression into EUF by considering both the p-terms and g-terms to be terms and both the p- 
formulas and g-formulas to be formulas. Instead, the benefit of PEUF is that by distinguishing 
some portion of a formula as satisfying a restricted set of properties, we can radically reduce the 
number of different interpretations we must consider when proving that a p-formula is universally 
valid. 

In fact, we can automatically extract the PEUF syntax from an EUF formula by the following 
process, and hence our decision procedure can be viewed as one that automatically exploits the 
polarity structure of equations in an arbitrary EUF formula Fj p. The main task is to classify the 
function symbols as either p-function or g-function symbols. 

We assume our EUF formula F^p is in negation-normal form, meaning that the negation operation 
-i is applied only to equations and predicate applications. We can convert an arbitrary formula into 
negation-normal form by applying the following syntactic transformations: 



-itrue - 


-> false 


-ifalse - 


■+ true 


-,-i.F - 


■+ F 


(F 1 AF 2 ) - 


•* -1F1 V -nF 2 


(F X VF 2 ) - 


■> ~i.Fi A -nF 2 



To formalize the relationship between EUF expressions and PEUF expressions, we introduce a 
tree representation of EUF expressions. The rules for the tree representation are as follows: 



1 . If E is an EUF expression having no proper subexpressions (true, false, a domain variable, 
or a propositional variable), then E is represented by a tree consisting of a single node 
labelled with E. 

2. If E is an EUF expression having n proper subexpressions, then E is represented by a tree 
whose root node is labelled with the main operator (=, ITE, A, V, ->, predicate symbol, 
function symbol). Attached to the root node are n subtrees, where the ith subtree represents 
the zth proper subexpression. 

We define a parsing of an EUF expression as a PEUF expression. Let t be a tree representing 
an EUF expression E. A parsing of E as a PEUF expression is a function that assigns to each 
node of t a set of syntax classes in the formal syntax of PEUF, such that the syntax rules of PEUF 
(Figure [2|) are satisfied. Note that this definition allows multiple syntax classes to be assigned to 
a given tree node. This multiplicity arises due to the two syntax rules: p-formula ::= g-formula, 
and p -term ::= g-term. That is, every tree node that can be classified as a g-formula (respectively, 
g-term) can also be classified as a p-formula (resp., p-term). 

We say there is a parsing of an EUF expression E as a PEUF expression of a given syntax class cl, 
if there is a parsing of a tree representing E that satisfies the PEUF syntax rules, and cl is in the 
set of syntax classes assigned to the root node of the tree. 

To state the main result of this section about parsing, we first define several sets of expressions. 
Let $ (respectively 0) be the set of all syntactically-distinct formulas (resp., terms) occurring in 
-^top- We define the set $~ C $ of negative formulas to be the smallest set of formulas satisfying 
the following conditions: 

1. For every formula ->F in $, formula F is in $~. 

2. For every term ITE(F, Ti, T 2 ) in 9, formula F is in $~. 

3. For every formula Ti A F 2 in $~, formulas F\ and F 2 are in $~. 

4. For every formula F\ V F 2 in $~, formulas F\ and F 2 are in $~. 

We define the set 9~ C of negative terms to be the smallest set of terms satisfying: 

1 . For every equation T\ = T 2 in $ _ , terms T\ and T 2 are in Q~ . 

2. For every term ITE(F, Ti, T 2 ) in @~, terms 7\ and T 2 are in 0~. 

Finally, we partition the set of all function symbols T into disjoint sets T g and T v as follows. If 
there is some term in 6~ of the form /(Ti, . . . , Tjt), then / is in JF 9 . If there is no such term, then 
/ is in T p . 

10 



Theorem 1 For any negation-normal EUF formula Ff p, there is a parsing of Ff p as a PEUF 
p-formula such that each function symbol in T g is a g-function symbol, and each function symbol 
in T v is a p-function symbol. 

Proof: 

For the remainder of this proof, we consider a fixed EUF formula i^ G p- We will only consider a 
function to be a parsing if it is a parsing when the set of g-function symbols is T g and the set of 
p-function symbols is T p . 

We prove this theorem by induction on the syntactic structure of -Ftop- Our induction hypothesis 
consists of four assertions, two for terms and two for formulas: 

1. For T E such that T E 0~ or T is a function application with a function symbol in T g , 
there is a parsing of T as a g-term. 

2. For T E 0, there is a parsing of T as a p-term. 

3. For F E $ satisfying one of the following conditions: 

(a) F is true or false, 

(b) F is a formula of the form -1F1, 

(c) F is a predicate application, 

(d) Fisin $", 

there is a parsing of F as a g-formula. 

4. For Fg$, there is a parsing of F as a p-formula. 

Recall that the syntax of PEUF allows any g-formula to be promoted to a p-formula, and any 
g-term to be promoted to a p-term. These promotion rules will be used several times in the proof. 

For the base cases, we consider expressions having no proper subexpressions: 

1 . For a domain variable v, if v E Q~, then v E T g , so there is a parsing of v as a g-term and a 
parsing as a p-term. 

2. For a domain variable v E — 0~, v is in jF p , so there is a parsing of v as a p-term. 

3. EUF formulas true and false can be parsed as either g-formulas or p-formulas. 

4. For a propositional variable p, there is a parsing of p as a g-formula or as a p-formula. 

For the inductive argument, we prove the following cases for EUF expressions, assuming that all 
proper subexpressions obey the induction hypothesis. 

11 



1. Terms in 0: 

(a) Consider T = ITE(F, Ti, T 2 ). If T G ©", then by definition, F G $ _ andTi, T 2 G 6". 
Thus, by the inductive hypothesis, there are parsings of F as a g-formula and of 7\ and 
T 2 as g-terms. This means there is a parsing of T as a g-term. 

If T G ©, then by the inductive hypothesis, there are parsings of F as a g-formula and 
of T\ and T 2 as p-terms. Thus there is a parsing of T as a p-term. 

(b) Consider T = /(Ti, . . . ,T k ). By the inductive hypothesis, there are parsings of 
Ti, . . . ,T k as p-terms. When / G J- g , there are parsings of T as a g-term and, by 
promotion, as a p-term. When / G F p , there is a parsing of T as a p-term. Thus, there 
is a parsing of T as a p-term in either case. In addition, when T G 0~, we must have 
/ G J- g , and hence there is also a parsing of T as a g-term. 

2. Formulas in $: 

(a) Consider F = -F^ We have F 1 G $~, so there is a parsing of F x as a g-formula. 
Hence F can be parsed as a g-formula or a p-formula. 

(b) Consider F = Fi A F 2 . If F is in $~, then Fl, F 2 are in $~, so Fi, F 2 can be parsed as 
g-formulas and F can be parsed as a g-formula or as a p-formula. 

If F is in $, then Fi , F 2 can be parsed as p-formulas, so F can be parsed as a p-formula. 

(c) Consider F = Fi V F 2 . Similar to previous case. 

(d) Consider F = 7\ = T 2 . If F G $", then Ti, T 2 G 6~ and hence Ti and T 2 can be 
parsed as g-terms, so F can be parsed as a g-formula or as a p-formula. 

If F G $, then Ti and T 2 can be parsed as p-terms, so F can be parsed as a p-formula. 

(e) Consider F = p(T 1 , . . . ,T k ). By the inductive hypothesis, there are parsings of 
Ti, . . . , T k as p-terms. Thus there is a parsing of F as a g-formula, and by promo- 
tion, as a p-formula. 

The theorem follows directly from the induction hypothesis. □ 

3.3 Diverse Interpretations 

Let T be a set of terms, where a term may be either a g-term or a p-term. We consider two terms to 
be distinct only if they differ syntactically. An expression may therefore contain multiple instances 
of a single term. We classify terms as either p-function applications, g-function applications, or 
ITE terms, according to their top-level operation. The first two categories are collectively referred 
to as function application terms. For any g-formula or p-formula F, define T(F) as the set of all 
function application terms occurring in F. 

An interpretation / partitions a term set T into a set of equivalence classes, where terms Ti and 
T 2 are equivalent under /, written Ti svj T 2 when /[Ti] = I[T 2 ]. Interpretation I' is said to be a 
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11 

12 


{x, y}, {gi}{92}, {gs}, {h}, {h 2 } 
{%}, {y}, {gi, £2}, M, {h}, {h 2 } 


Inconsistent 
Inconsistent 


CI 
C2 


i x ), {y}, {gi, #2}, {gs}, {hi, h 2 } 
{x, g 3 }, {y}, {gi}, {92}, {h}, {h 2 } 


Diverse w.r.t. x,y,h 
Diverse w.r.t. y, h 


Dl 
D2 


M, {y}, {91}, {92}, {93}, {h}, {h 2 } 
{x,y}, {gi, g 2 }, {g 3 }, { h uh} 


Diverse w.r.t. x, y, g, h 
Diverse w.r.t. g, h 



Table 2: Example Partitionings of Terms x, y, gi 
h(g(x),g(g(x))), and h 2 = h(g(y),g(g(x))). 



g{x), g2 = g(y), #3 = g{g{x)), hi 



refinement of I for term set T when Ti ^j> T 2 =>- Ti «/ T 2 for every pair of terms T x and T 2 in T. 
V is a proper refinement of / for T when it is a refinement and there is at least one pair of terms 
T u T 2 eT such that T x «j T 2 , but Ti 567/ T 2 . 

Let S denote a subset of the function symbols in p-formula F. An interpretation I is said to be 
diverse for F with respect to S when it provides a maximal partitioning of the function application 
terms in T(F) having a top-level function symbol from £ relative to each other and to the other 
function application terms, but subject to the constraints of functional consistency. That is, for Ti 
of the form f(Ti t i , . . . , Ti^), where / G E, an interpretation / is diverse with respect to S if I has 
Ti ~/ T 2 only in the case where T 2 is also a term of the form /(T 2i i, . . . , T^fc), and T^ ?«/ T 2i 
for all z such that 1 < i < k. If we let S p (F) denote the set of all p-function symbols in F, then 
interpretation / is said to be maximally diverse when it is diverse with respect to T, p (F). Note that 
in a maximally diverse interpretation, the p-function application terms for a given function symbol 
must be in separate equivalence classes from those for any other p-function or g-function symbol. 

As an example, consider the p-formula F cg given in Equation II]. There are seven distinct function 
application terms identified as follows: 



X 


y 


91 


#2 


gs 


h 


h 2 


X 


y 


g{x) 


g(y) 


g(g(x)) 


h(g(x),g(g(x))) 


h(g(y),g(g(x))) 



Table || shows 6 of the 877 different ways to partition seven objects into equivalence classes. Many 
of these violate functional consistency. For example, the partitioning II describes a case where x 
and y are equal, but g(x) and g(y) are not. Similarly, partitioning 12 describes a case where g(x) 
and g(y) are equal, but h{g{x) , g{g{x))) and h(g{y) , g{g{x))) are not. 

Eliminating the inconsistent cases gives 384 partitionings. Many of these do not arise from maxi- 
mally diverse interpretations, however. For example, partitioning CI arises from an interpretation 
that is not diverse with respect to g, while partitioning C2 arises from an interpretation that is not 
diverse with respect to h. In fact, there are only two partitionings: Dl and D2 that arise from 
maximally diverse interpretations. Partition Dl corresponds to an interpretation that is diverse 
with respect to all of its function symbols. Partition D2 is diverse with respect to both g and h, 
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even though terms g 1 and g 2 are in the same class, as are hi and h 2 . Both of these groupings 
are forced by functional consistency: having x = y forces g(x) = g(y), which in turn forces 
h(g(x),g(g(x))) = h(g(y),g(g(x))). Since g and h are the only p-function symbols, D2 is maxi- 
mally diverse. 

The following is the central result of the paper. 

Theorem 2 A p-formula F is universally valid if and only if it is true in all maximally diverse 
interpretations. 

First, it is clear that if F is universally valid, F is true in all maximally diverse interpretations. We 
prove via the following two lemmas that if F is true in all maximally diverse interpretations it is 
universally valid. 

Lemma 1 If interpretation J is not maximally diverse for p-formula F, then there is an interpre- 
tation J' that is a proper refinement of J such that J'[F] =>- J[F]. 

Proof: Let 7\ be a term occurring in F of the form /i(Tii, . . . , TifcJ, where /i is a p-function 
symbol. Let T 2 be a term occurring in F of the form f 2^2,1, ■ ■ ■ , T 2 ^ 2 ), where f 2 may be either a 
p-function or a g-function symbol. Assume furthermore that J[T\] and J[T 2 ] both equal z, but that 
either symbols fi and f 2 differ, or J[T 1:i ] 7^ J\T 2y i\ for some value of i. 

Let z' be a value not in V, and define a new domain V = V U {z'}. Our strategy is to construct 
an interpretation J' over V that partitions the terms in T(F) in the same way as J, except that it 
splits the class containing terms Ti and T 2 into two parts — one containing 7\ and evaluating to z', 
and the other containing T 2 and evaluating to z. 

Define function r: V — ► V to map elements of V back to their counterparts in V, i.e., r(z') = z, 
while all other values of x give r(x) equal to x. 

For p-function symbol /1, define J'(fi) as: 

t//,w x ^ f ^', t(^j) = J[Ti,t], 1 < i < h 

UinXl ''"' XfcJ " J A/OWn),-,^)), otherwise 

For other function and predicate symbols, J' is defined to preserve the functionality of interpreta- 
tion J, while also treating argument values of z' the same as z. That is, J'(f) for function symbol / 
having ord(f) equal to k is defined such that J'(f)(xi, . . . , Xk) = J(f)(r(xi), . . . , r(xfc)). Simi- 
larly, J'(p) for predicate symbol p having ord(p) equal to k is defined such that J'(p) (x±, . . . , Xk) = 
J(p)(r(xi),...,r(x fc )). 

We claim the following properties for the different forms of subexpressions occurring in F: 
1. For every g-formula G: J'[G] = J[G] 
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2. For every g-term T: J'[T] = J[T] 

3. For every p-term T: t(J'[T}) = J[T] 

4. For every p-formula G: J'[G] =>• J[G] 

5. J'lTx] = z' and J'[T 2 ] = z. 

Informally, interpretation J' maintains the values of all g-terms and g-formulas as occur under 
interpretation J . It also maintains the values of all p-terms, except those in the class containing 
terms 7\ and T 2 . These p-terms are split into some having valuation z and others having valuation 
z'. With respect to p-formulas, consider first an equation of the form Si = £2 where Si and S 2 are p- 
terms. The equation will yield the same value under both interpretations except under the condition 
that Si and S 2 are split into different parts of the class that originally evaluated to z, in which case 
the equation will yield true under J, but false under J'. Thus, although this equation can yield 
different values under the two interpretations, we always have that J'[Si = S 2 ] =>- J[Si = S 2 ]. 
This implication relation is preserved by conjunctions and disjunctions of p-formulas, due to the 
monotonicity of these operations. 

We will now present this argument formally. Most of the cases are straightforward; we indicate 
those that are "interesting." We prove hypotheses 1 to 4 above by simultaneous induction on the 
expression structures. 

For the base cases, we have: 

1. G-formula: J' [true] = J[true], J'ffalse] = J [false], and J'[a\ = J [a] for any preposi- 
tional variable a. 

2. G-term: If v is a g-function symbol of zero order, then J'(v) = J(v). 

3. P-term: If v is a p-function symbol of zero order, then by the definition of J', t(J'(v)) = 
J{v). 

4. P-formula: same as g-formula. 

For the inductive step, we prove that hypotheses 1 through 4 hold for an expression given that they 
hold for all of its subexpressions. 

1. G-formula: There are several cases, depending on the form of G. 

(a) Suppose G has one of the forms -1G1, G\ A G 2 , G\ V G 2 , where G\ and G 2 are g- 
formulas. By the inductive hypothesis, J'[Gi] = </[Gi], and J'[G 2 ] = J[G 2 ]. It follows 
that J'hG 1 !] = J[-.Gi], J'[Gi A G 2 ] = J[d A G 2 ], and J'fd V G 2 ] = J[G X V G 2 \. 
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(b) Suppose G has the form Si — S 2 , where Si, S 2 are g-terms. By the inductive hypothesis 
on g-terms, J' [Si] = J[Si], and J'[S 2 ] = J[S 2 }. It follows that J' [Si = S 2 ] = J[Si = 
S 2 ]. 

(c) The remaining case is that G is a predicate application of the form p( Si, . . . , S&), where 
p is a predicate symbol of order k, and Si, ... , S k , are p-terms. By the inductive 
hypothesis for p-terms, we have r(J'[Si]) = J[Si], for i — 1 ... A;. By the definition of 

J', 

J'\p(Si,...,S k )} = J'(p)(J'[Si},...,J'[S k }) 

= J(p)(r(J'[Si]),...,r(J'[S k ])) 
= J(p)(J[Si],...,J[S k }) 
= J[p(Si,...,S fe )]. 

2. G-term: There are two cases. 

(a) Suppose T has the form ITE(G, Si, S 2 ), where G is a g-formula, and Si and S 2 are 
g-terms. By the inductive hypothesis, we have J'[G] = J[G], J'[Si] = J[Si], and 
J'[S 2 ] = J[S 2 ]. Then J'[ITE(G, S u S 2 )] = J[77E(G, Si, S 2 )]. 

(b) Suppose T has the form /(Si, . . . , S&), where / is a g-function symbol of order k 
and Si, ... , S k are p-terms. By the inductive hypothesis, r(J'[Si]) = J[Sj], for z = 
1 , . . . , k. Then we have, 

J'[/(Si,...,S fe )] = J'(/)(J'[Si],...,J'[S fe ]) 

= J(/)(r(J'[Si]),...,r(J'[S fe ])) 

= J(/)(J[Si],...,J[S fe ]) 

= J[/(Si,...,S fe )]. 

3. P-term: There are three cases. 

(a) Suppose T is a g-term. By the inductive hypothesis, J'[T] = J[T]. Since J[T] cannot 
be equal to z', it must be the case that t(J'\T}) = J[T], 

(b) Suppose T has the form ITE(G, Si, S 2 ), where G is a g-formula, and Si and S 2 are p- 
terms. By the inductive hypothesis, J'[G] = J[G], r( J' [Si]) = J[Si], and t(J'[S 2 ] = 
J[S 2 }). It follows that 

r{J'[ITE{G,Si,S 2 )]) = if J , [G]thenr(J , [S 1 ])elser(J , [S 2 ]) 

= if J[G] then J[Si] else J[S 2 ] 
= J[ITE(G,Si,S 2 )}. 

(c) [Important case:] Suppose that T has the form /(Si, . . . , S k ), where / is a p-function 
symbol of order k and Si, . . . , S k are p-terms. Here, we have to consider two cases. 
The first case is that the following two conditions hold: (1) / is the function symbol 
/i, i.e., the function symbol of the term 7\ mentioned at the beginning of the proof of 
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this lemma, and (2) r(Si) = J[Ti ti ], for 1 < i < k. If these two conditions hold, then 
by the definition of J', J'[f 1 (S 1 , . .., S k )] = z', while J[fi(S 1 , ..., S k )] = z. Since 
r(z') = z, we have r(J'[fi(Si, • • • , S k )]) = J[fi(S u . . . , S k )]. 

The second case is when one of the two conditions mentioned above does not hold. 
The proof of this case is identical to the proof of case 2(b) above. 

4. P-formula: There are three cases. 

(a) If the p-formula G is a g-formula, then by the inductive hypothesis, J'[G] = J[G], so 
J'[G\ => J[G]. 

(b) Suppose G has one of the forms G\ A G 2 , or G\ V G2, where G\, G2 are p-formulas. 
By the inductive hypothesis, J'[Gi] =>- J[G\}, and J'[G 2 ] =>• J[G 2 ]. Thus we have 

J'[Gi A G 2 ] = J'[Gi] A J'[G 2 ] 
=* J[Gi] A J[G 2 ] 
= J[GiAG 2 ], 

so J'[Gi A G 2 ] ^ J[Gi A G 2 ]. The proof for d V G 2 is the same. 

(c) [Important case:] Finally, we consider the case that G is a p-formula of the form 
<Si = 1S2, where Si and 5' 2 , are p-terms. By the inductive hypothesis, we have that if 
J' [Si] = z', then J[Si] = z, for i — 1,2. Also, by the definition of h, we have that 
if J' [Si] does not equal z' , then J'[Si\ = J[Si]. Now, we consider cases depending on 
whether J' [Si] or J'fSy are equal to z'. If both terms are equal to z' in J', then both 
J [Si] and J[5 2 ] must be equal to z, so the equation is true in both J' and J. If neither 
J' [Si] nor J'fSy is equal to z', then J'[Si] = J[S ± ] and J' [£2] = J[S 2 ], so the equation 
has the same truth value in J' and J. The last case is that exactly one of the p-terms 
is equal to z' in J'. In this case, the equation is false in J', so we have J'[G] =^> J[G]. 
This completes the inductive proof. 

Property 5 above, which implies that J' is a proper refinement, is a consequence of the definition 
of J' and the inductive properties 2 and 3. First, we show that J'[Ti] = z' . By definition, J'[Ti] = 
J'(fi)(J'[Ti,i], • • • , J'[Ti, kl ]). By property 3 on p-terms, we can assume r(J'[Ti :i ]) = JfTij, for 
all i in the range 1 < i < h. By the definition of J'(/i), we have J'(/i)(J , [Ti ) i],' . . . , J'[Ti M ]) = 
z'. 

The proof that J'[T 2 ] = z is in two cases, depending on whether 7\ and T 2 are applications of the 
same function symbol. 

1. First, consider the case that I\ = /i(T 1;1 , . . . , T 1)fel ) and T 2 = / 2 (T 21 , . . . , T 2jk2 ), where /1 
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and f 2 are different function symbols. In this case, 

J'[T 2 ] = J'(f 2 )(J'[T 2tl ],...,J'[T 2M }) 

= J{h){r{ J'[T 2 ,i]), . . . , r( J'[T 2M ))),by the definition of J'(f 2 ) 

= J{f2)(J[T 2; i], • • • , J[T 2M ]), by the inductive hypothesis 

= J[f 2 (T 2tl ,...,T 2M )] 

= z. 

2. Finally, we have the case that /i and f 2 are the same function symbol, and there is some 
value of I with 1 < I < k±, such that Jpi^] does not equal J[T 2 j}. Here, we have: 

J'[/i(T 2)lj . . . , r 2)fe2 )] = J'(A)(J'[T 2>1 ], ..., J'[T 2M \) 

By property 3, r(J'[T 2>i ]) = J[T 2>i ], for all i such that 1 < i < k t . Since J[Ti )Z ] does not 
equal J[T 2: i], the value of the above application of </'(/i) is: 

■/'(/iX^'PU • • • , J'[T 2M \) = J{h){T{J'[T 2>1 ]), ..., r(J'[T 2M ])) 

= J(f 1 )(J[T 2A ],...,J[T 2M ]) 
= J[A(T 2il ,...,T 2ifc2 )] 



D 

Lemma 2 For any interpretation I and p-formula F, there is a maximally diverse interpretation 
Pfor F such that I*[F] =► I[F]. 

Proof: Starting with interpretation I equal to /, we define a sequence of interpretations Iq, Ii, . . . 
by repeatedly applying the construction of Lemma [I]. That is, we derive each interpretation J i+1 
from its predecessor I t by letting J = i* and letting J i+1 = J'. Interpretation I i+1 is a proper 
refinement of its predecessor Jj such that J i+1 [F] =^> h[F]. At some step n, we must reach a 
maximally diverse interpretation I„, because our set T(F) is finite and therefore can be properly 
refined only a finite number of times. We then let I* be /„. We can see that I*[F] = I n [F] => 
. . . => I Q [F] = I[F], and hence I*[F] => I[F]. D 

The completion of the proof of Theorem || follows directly from Lemma |2|. That is, if we start with 
any interpretation / for p-formula F, we can construct a maximally diverse interpretation I* such 
that I*[F] =^- I[F], Assuming F is true under all maximally diverse interpretations, I*[F] must 
hold, and since I*[F] =^> I[F], I[F] must hold as well. 



3.4 Exploiting Positive Equality in a Decision Procedure 

A decision procedure for PEUF must determine whether a given p-formula is universally valid. 
The procedure can significantly reduce the range of possible interpretations it must consider by 
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exploiting the maximal diversity property. Theorem [Z] shows that we can consider only interpreta- 
tions in which the values produced by the application of any p-function symbol differ from those 
produced by the applications of any other p-function or g-function symbol. We can therefore con- 
sider the different p-function symbols to yield values over domains disjoint with one another and 
with the domain of g-function values. In addition, we can consider each application of a p-function 
symbol to yield a distinct value, except when its arguments match those of some other application. 



4 Eliminating Function Applications 

Most work on transforming EUF into propositional logic has used the method described by Ack- 



ermann to eliminate applications of functions of nonzero order QAck54J ]. In this scheme, each 
function application term is replaced by a new domain variable and constraints are added to the 
formula expressing functional consistency. Our approach also introduces new domain variables, 
but it replaces each function application term with a nested ITE structure that directly captures the 
effects of functional consistency. As we will show, our approach can readily exploit the maximal 
diversity property, while Ackermann's cannot. 

In the presentation of our method for eliminating function and predicate applications, we initially 
consider formulas in EUF. We then show how our elimination method can exploit maximal diver- 
sity in PEUF formulas. 



4.1 Function Application Elimination Example 



We demonstrate our technique for replacing function applications by domain variables using for- 
mula F cg (Equation [1]) as an example, as illustrated in Figure^. First consider the three applications 
of function symbol g: g(x), g(y), and g(g(x)), which we identify as terms Ti, T 2 , and T 3 , respec- 
tively. Let vg x , vg 2 , and vg 3 be new domain variables. We generate new terms U 1 , U 2 , and U 3 as 
follows: 



u x -- 


= vg x 


u 2 -- 


- ITE(y = x,vg 1 ,vg 2 ) 


U 3 ~- 


= ITE(vg 1 = x, vg^TTEivg-i 



(2) 



■y,vg 2 ,vg 3 )) 



We use variable vg\, the translation of g(x), to represent the argument to the outer application of 
function symbol g in the term g(g(x)). In general, we must always process nested applications of 
a given function symbol working from the innermost to the outermost. Given terms U\, XJi, and 
U 3 , we eliminate the function applications by replacing each instance of T\ in the formula by Ui 
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Initial formula: 



3E>" 



■o- 



<^> 



<I> 



<i> 



x> 



JG> 



After removing applications of function symbol g; 



:x=>- 



-♦- 

i 

-+- 



-e- 






n 



js> 



D2> 



After removing applications of function symbol h: 



3E>— -? e- 



;;x>- 



© 



n 

vg 2 vg 3 



^^E> 



:e>- 



=oe>- 



I 

_ F . 



X> 



:e- 



v/? v/i. 



Figure 4: Removing Function Applications from F cs 
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~/' 


m\ 


I'm 


m\ 


{x},{y},{g(x)} 


i 


2 


3 


{x,y},{g(x)} 


i 


1 


3 


{x},{y,g(x)} 


i 


2 


2 


{x,g(x)},{y} 


i 


2 


1 


{x,y,g(x)} 


i 


1 


1 



Table 3: Possible valuations of terms in Equation ^ when each variable vg i is assigned value i. 

for 1 < i < 3, as shown in the middle part of Figure |J We use multiplexors in our schematic 
diagrams to represent ITE operations. 

Observe that as we consider interpretations with different values for variables vg x , vg 2 , and vg 3 in 
Equation 0, we implicitly cover all values that an interpretation of function symbol g in formula 
F eg may yield for the three arguments. The nested ITE structure shown in Equation [| enforces 
functional consistency. For example, consider an arbitrary interpretation / of the symbols in F eg . 
Define interpretation I' to be identical to / for the symbols in F eg and in addition to assign values 1, 
2, and 3 to domain variables vg t , vg 2 , and vg 3 , respectively. Table |3| shows the possible valuations 
of the three terms of Equation [Z] under /'. For each possible partitioning by I* of arguments x, y, 
and g(x) into equivalence classes, we get I'[Ui\ = I'[Uj] if an only if the arguments to function 
application terms T t and Tj are equal under /. 

We remove the two applications of function symbol h by a similar process. That is, we introduce 
two new domain variables v hi and vh 2 . We replace the first application of h by vh\ and the second 
by an ITE term that compares the arguments of the two function applications, yielding vh\ if they 
are equal and vh 2 if they are not. The final form is illustrated in the bottom part of Figure |]. The 
translation of predicate applications is similar, introducing a new propositional variable for each 
application. After removing all applications of function and predicate symbols of nonzero order, 
we are left with a formula F* containing only domain and propositional variables. 



4.2 Algorithm for Eliminating Function and Predicate Applications 

The general translation procedure follows the form shown for our example. It iterates through the 
function and predicate symbols of nonzero order. On each iteration it eliminates all occurrences of 
a given symbol. At the end we are left with a formula containing only domain and propositional 
variables. 

The following is a detailed description of the process required to eliminate all instances of a single 
function symbol / having order k > from a formula G. We use the variant of formula F og shown 
schematically at the top of Figure |[ In this variant, we have replaced function symbol g with /. In 
the sequel, if E is an expression and T and U are terms, we will write E[T <— U] for the result of 
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Initial p-formula showing /-order contours: 




After removing applications of function symbol /: 

S 



3E> ? 



-•- 
-t- 



©- 






n 

x y vfj v/ 2 v/ 3 



u, 



a, 



XE> 



D& 



K, 



V©" 



Figure 5: Illustration of Function Application Removal 
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substituting U for each instance of T in E. Let T\ , . . . , T n denote the syntactically distinct terms 
occurring in formula G having the application of / as the top level operation. We refer to these as 
"/-application" terms. Let the arguments to / in /-application term Tj be the terms So, . . . , S^k, 
so that Ti has the form f(S^i, . . . , S^fc). Assume the terms Ti, . . . , T n are ordered such that if Tj 
occurs as a subexpression of Tj then i < j. In our example the /-application terms are: T\ = f(x), 
T2 = f(y) and T 3 = f(f(x)). These terms have arguments: Si t \ = x, S 2 ,i = y, and S^i = f(x). 

The translation processes the /-application terms in order, such that on step i it replaces all occur- 
rences of the i application of function symbol / by a nested ITE term. Let vf 1 , . . . , vf n be a new 
set of domain variables not occurring in F. We use these to encode the possible values returned by 
the /-application terms. 

For any subexpression E in G define its integer- valued /-order, denoted Of(E), as the highest index 
i of an /-application term Tj occurring in E. If no /-application terms occur in E, its /-order is 
defined to be 0. By our ordering of the /-application terms, any argument S it i to /-application 
term T must have Of(Si ) i) < °f(Ti), and therefore Of(Tj) = i. For example, the contour lines 
shown in Figure [5| partition the operators according to their /-order values. 

The transformations performed in replacing applications of function symbol / can be expressed 
by defining the following recurrence for any subexpression E of G: 



EW = E 






E (i) = £(*-!) p^- 1 ) «. 


-Ui], 


1 < i < n 


E = E^ m \ 




where m - 



(3) 

o f {E) 

In this equation, term T/ ' is the form of the i /-application term T after all but the topmost 
application of / have been eliminated. Term Ui is a nested ITE structure encoding the possible 
values returned by Tj while enforcing its consistency with earlier applications. Ui does not contain 
any applications of function symbol /. For a subexpression E with Of(E) = m, its form E^ 
will contain no applications of function symbol /. We denote this form as E. Observe that for any 
i > Of(E), term T^ 1 ' does not occur in E^ % \ and hence E® = E for all i > Of(E). Observe 
also that for /-application term Tj, we have Tj = Tj W = Ui. 

Ui is defined in terms of a recursively-defined term V iy j as follows: 

n 

(4) 



Vi,i = vfi, 


1 < i < n 


Vi tj = ITE(C i j,vf j ,Vi J+1 ), 


1 < j < i < n 


U = V itl , 


1 < i < n 



where for each j < i, formula Cy is true iff the (transformed) arguments to the top-level applica- 
tion of / in the terms Tj and T, have the same values: 

Cij = f\ S it i = Sjj (5) 

\<l<k 
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Observe that the recurrence of Equation |] is well-defined, since for all argument terms of the form 
Sjj for 1 < j < i and 1 < I < k, we have Of(Sj t i) < i, and hence terms of the form Sjj and S^i, 
as well as term Vij + x are available when we define Vij. 

The lower part of Figure |5] shows the result of removing the three applications of / from our 
example formula. First, we have U\ = vf x , giving translated function arguments: Sx,i = x, 
•^2,1 = V, and S^i = vf t . The comparison formulas are then: C 2 ,i = (y — x), C 3) i = (vfx —x), 
and 6*3,2 — (vf 1 = y). From these we get translated terms: 

U 2 = ITE(y=x,vfx,vf 2 ) 

U 3 = ITE(vfx=x,vfx,ITE(vfx=y,vf 2 ,vf 3 )) 

We can see that formula G = G^ will no longer contain any applications of function symbol /. 
We will show that G is universally valid if and only if G is. 

In the following correctness proofs, we will use a fundamental principle relating syntactic substi- 
tution and expression evaluation: 

Proposition 1 For any expression E, pair of terms T, U, and interpretation I of all of the symbols 

in E, T, and U, if I[T\ = I[U] then I[E[T <- [/]] = I[E\. 

We will also use the following characterization of Equation |]. For value i such that 1 < i < 
n and for interpretation I of the symbols in Ui, we define the least matching value of i under 
interpretation /, denoted lmi(i), as the minimum value j in the range 1 < j <i such that I[Sj,i] = 
I[Si t i\ for all I in the range 1 < I < k. Observe that this value is well defined, since i forms a 
feasible value for j in any case. 

Lemma 3 For any interpretation I, I[Ui\ = I(vf 'A where j = lmj(i). 

Proof: For value m in the range 1 < m < i define lmi(m, i) as the minimum value of j in the 
range m < j < i such that I[Sjj] = I[Sij] for all / in the range 1 < I < k. By this definition 
lmi(i) = lm,j(l, i). Observe also that if j = lm,j(m, i) then I[Cij] = true. In addition, for any 
value w! in the range m < m! < i, if lmi(m, i) > m', then lmi(m, i) = lmi(m', i). 

We prove by induction on m that /[Vi )m ] = I(vf ,•), where j = lmj(m, i). The base case of m = i 
is trivial, since lmi(i, i) = i, and V iti = vf t . 

Assuming the property holds for m + 1, we consider two possibilities. First, if lmi(m, i) = m, 
we have I[Ci iin ] = true, and hence the top-level ITE operation in V^ m (Equation |j) will select its 
first term argument vf m , giving I[T^ im ] = I(vf m ). On the other hand, if lmj(m, i) > m, we must 
have I[Ci tm ] = false, and hence the top-level ITE operation in V^ m will select its second term 
argument V iyin+ i, giving /[Vi >m ] = /[Vi, m +i], which by the inductive hypothesis equals I(vff) for 
j = lmi(m + 1, i). Since lmj(m, i) > m + 1, we must also have lmj(m, i) = lmi(m + 1, i), and 
hence /[V^ m ] = I(vf ' f), where j = lmj(m, i). 
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Since Ui is defined as V^i, our induction argument proves that I[Ui] = I(vfj) for j = /m/(l, i) = 
Imiii). □ 

Lemma 4 Any interpretation J of the symbols in G can be extended to an interpretation J of the 
symbols in both G and G such that for every subexpression E of G, J[E] = J[E] = J[E]. 

Proof: We provide a somewhat more general construction of J than is required for the proof of 
this lemma in anticipation of using this construction in the proof of Lemma |j. Given J defined 
over domain V, we define J over a domain V such that V D V. 

We define J for the function and predicate symbols occurring in G based on their definitions in 
J. For any function symbol / in G having ord(f) = k, and any argument values xi,...,Xk&'D, 
we define «7(/)(xi, . . . , x k ) = J(f)(xi, . . . , x k ). For argument values x%, . . . , x k E V such that 
for some i, Xi ^ V, we let J(f)(x\, . . . , x k ) be an arbitrary domain value. Similarly, for predicate 
symbol p, we define J{jp) to yield the same value as J(p) for arguments in V and to yield an 
arbitrary truth value when at least one argument is not in V. 

One can readily see that J\E] = J[E] for every subexpression E of G. This takes care of the 
second equality in the statement of the lemma, and hence we can concentrate on the relation 
between J[E] and J[E] for the remainder of the proof. 

Recall that vf 1 ,..., vf n are the domain variables introduced when generating the nested ITE terms 
Ui, . . .U n . Our strategy is to define interpretations of these variables such that each Ui mimics the 
behavior of the original /-application term T{ in G. 

We consider two cases. For the case where lm,j(i) = i, we define J(f/J = J[Tj], i.e., the value 
of the i /-application term in G under J. Otherwise, we let J(vf \) be an arbitrary domain 
value — we will show that its value does not affect the valuation of any expression E in G having a 
counterpart E in G. 

We argue by induction on i that J[E^] = J[E] for any subexpression E of G. For the case where 
0/(-E) < i, this hypothesis implies that J[E] = J[E]. The base case of i = is trivial, since E^ 
is defined to be E. 

Suppose that for every j in the range 1 < j < i and every subexpression D of G, we have 
J[D^} = J[D], and consequently that J[D] = J[D] for the case where Of(D) < i. We must 
show that for every subexpression E of G, we have J[E^] = J[E]. 

We first focus our attention on term Tj in G and its counterpart Ui in G, showing that J[Ui] = J[Tj] . 
The /-application terms for all j such that j < i have 0/(1} ) = j < i, and hence we can assume 
that J[Uj] = J[Tj] for these values of j. Furthermore, any argument Sjj to an /-application term 
for j < i and 1 < I < k has Of(Sj ; i) < j < i, and hence we can assume J[Sjj] = J[Sjj]. 

We consider two cases: lmj(i) = i, and lrrij(i) < i. In the former case, we have by Lemma |3| 
that J[Ui] = J{vfj). Our definition of J(t/j) gives J[Ui] = J{vfi) = J[Ti]. Otherwise, suppose 
that lrrij(i) = j < i. Lemma [5] shows that J[Ui] = J(vfj). We can see that lmj(j) = j, 
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and hence J(vfj) is defined to be J[Tj). By the definition of Im we have J[Sj ; i] = J[Sij] for 
1 < I < k. By the induction hypothesis we have J{Sjj] = J[Sj t i\, since Of(Sjj) < i, and similarly 
that J[S i: i] = J[Si t i]. By transitivity we have J[£,y] = J[Sij] for all / such that 1 < I < k, i.e., the 
arguments to /-application terms Tj and Tj have equal valuations under J. Function consistency 
requires that J\T 3 \ = J[T^\. From this we can conclude that J[Ui] = J[Uj] = J[Tj] = J[Tj]. 
Combining these cases gives J[Ui] = J[Tj]. 

For any subexpression E its form E® differs from E^ 1 ^ only in that all instances of term Tj 
have been replaced by Ui. We have just argued that J[Ui] = ./[Tj], and by the induction hypothesis 
we have that J[7^ l-1) ] = J[Tj], giving by transitivity that J[zf -1) ] = J[U^. Proposition [I| implies 
that J\E^} = JlE^' 1 ^], and our induction hypothesis gives J[E^^] = J[E\. By transitivity we 
have J[E®] = J[E]. 

To complete the proof, we observe that our induction argument implies that for any subexpression 
E of G, J[E^\ = j[E], including for the case where m = o f (E), giving J[E] = J[E^\ = 

J[E). u 

Lemma 5 Any interpretation J of the symbols in G can be extended to an interpretation J of the 
symbols in both G and G such that for every subexpression E ofG, J[E] = J[E] = J[E] . 

Proof: We define J to be identical to J for any symbol occurring in G. This implies that J[E] = 
J[E] for every subexpression E of G. This takes care of the second equality in the statement of the 
lemma, and hence we can concentrate on the relation between J[E] and J[E] for the remainder of 
the proof. 

For function symbol /, we define J(f)(xx, . . . , Xk) for domain elements a?i, . . . , x^ as follows. 
Suppose there is some value j such that xi = J[Sj t i] for all I such that 1 < I < k, and such that 
j = lmj(j). Then we define J(/)(xi, . . . ,Xk) to be J(vfj). If no such value of j exists, we let 
J{f){ x ii ■ ■ ■ j x k) be some arbitrary domain value. 

We argue by induction on i that J[E] = J[E^} for any subexpression E of G. For the case where 
Of{E) < i, this hypothesis implies that J[E] = J[E]. The base case of i = is trivial, since E^ 
is defined to be E. 

Suppose that for every j in the range 1 < j < i and every subexpression D of G, we have 
J[D] = J[D^], and consequently that J[D] = J[D] for the case where o/(D) < i. We must show 
that for every subexpression E of G, we have J[E] = J[E®]. 

We focus initially on term Tj in G and its counterpart Ui in G, showing that J\Ti\ = J[Ui\. Any 
/-application term Tj for j < i has Of(Tj) = j < i, and hence we can assume that J[Tj] = J[Tj). 
Furthermore, any argument Sjj to an /-application term for j < i and 1 < I < k has Of(Sj t i) < 
j < i, and hence we can assume that J[Sjj] = J[Sj t i\. 

We consider two cases: lmj(i) = i, and lrrij(i) < i. In the former case, we have by Lemma |3] 
that J[Ui] = J(vfi). In addition, J(f) is defined such that J[T t ] = J(f)(J[S iA }, . . . , J[S i>k ]) = 
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Jtf)(J[S i:1 },...,J[S iik \) = J{vfi), giving J[T^ = J(vfi) = J[Ui]. Otherwise, suppose that 
lmj{i) = j < i. Lemma |3| shows that J[Ui\ = J(vfj). We can see that Irrij(j) = j, and hence 
J(/) is defined such that J(/)(J[S' ji i], . . . , J[S j)k ]) = J(yf j). For any I such that 1 < I < k, 
we also have by the definition of Im that J{Sjj] = J[Si t i]. By the induction hypothesis we have 
J[Sjj] = J[Sj ; i], since Of(Sjj) < i, and similarly that J[Sij] = J[S i: i]. By transitivity we have 
J[Sj t i] = J[Si t i], i.e., the arguments to /-application terms 2} and T{ have equal valuations under 
J. Functional consistency requires that J[Tj] = J\Tj\. Putting this together gives J[Ti] = J[Tj] = 

J(/)(J[5 itl ], . . . , J[S jth ]) = J(/)(J[4i]> ■ • • , AS*]) = J(vfj) = J[Ui}. ' 

For any subexpression E its form E^ differs from E^ 1 ^ only in that all instances of term T± 
have been replaced by Ui. We have just argued that J[Ti] = J[Ui], and by the induction hypothesis 
we have that J[Tj] = J[zf _1) ], giving by transitivity that J[t/ 1_1) ] = J[U,j\. Proposition [l] implies 
that Jfi^ 4-1 )] = J[E^}, and our induction hypothesis gives J[E] = J[E^~ X \ By transitivity we 
have J[E] = J[E ( % 

To complete the proof, we observe that our induction argument implies that for any subexpression 
E of G, J[E] = J[E^], including for the case where m = o f (E), giving J[E] = J[E (m ^} = 
J[E]. a 

An application of a predicate symbol having nonzero order can be removed by a similar process, 
using newly generated propositional variables to encode the possible values returned by the predi- 
cate applications. By an argument similar to that made in Lemma Q, we can extend an interpretation 
to include interpretations of the propositional variables such that the original and the transformed 
formulas have identical valuations. Conversely, by an argument similar to that made in Lemma |5|, 
we can extend an interpretation to include an interpretation of the original predicate symbol such 
that the original and the transformed formulas have identical valuations. 

Suppose formula F contains applications m different function and predicate symbols of nonzero 
order. Starting with F = F, we can generate a sequence of formulas F , Fi, . . . , F m . Each 
formula F{ is generated from its predecessor Fj_i by letting G = Fi and F i+ i = G in our technique 
to eliminate all instances of the i function or predicate symbol. Let F* = F m denote the formula 
that will result once we have eliminated all applications of function and predicate symbols having 
nonzero order. 

Theorem 3 For EUF formula F, the transformation process described above yields a formula F* 
such that F is universally valid if and only if F* is universally valid. 

Proof: If: Assume F* is universally valid, and consider any interpretation I of the symbols in 
F. We construct a sequence of interpretations I = I , 7 1; . . . , I m , where each interpretation 7j 
is generated by extending its predecessor /;_! by letting J = F_i and I { = J in Lemma |] or a 
similar one for predicate applications. The effect is to include in F interpretations of the domain 
or propositional variables introduced when eliminating the i function or predicate symbol. We 
then define interpretation I* to be identical to I m for every variable appearing in F*. By induction, 

27 



we have I*[F*] = I[F}. Since F* is universally valid, we have I[F] = I*[F*] = true. Since this 
construction can be performed for any interpretation /, F must also be universally valid. 

Only if: Assume F is universally valid. Starting with an interpretation I* of the domain and 
propositional variables of F*, we can define a sequence of interpretations I* = I m , 7 m _i, . . . , Iq, 
using the construction in the proof of Lemma |5| (or a similar one for predicate applications) to 
generate an interpretation of each function or predicate symbol in F. We then define interpretation 
I to be identical to Jo for every function or predicate symbol appearing in F. By induction, we 
have I[F] = I*[F*]. Since F is universally valid, we have I*[F*] = I[F] = true. Since this 
construction can be performed for any interpretation I*, F* must also be universally valid. □ 

4.3 Assigning Distinct Values to Variables Representing P-Function Appli- 
cations 

Suppose we are given a PEUF p-formula F. We can also consider this to be a formula in EUF and 
hence apply the function and predicate application elimination procedure just described to derive 
a formula F* containing only domain and propositional variables. For each function symbol / 
in F, we will introduce a series of domain variables vf 1 , . . . , vf n . We will show that if / is 
a p-function symbol, then our decision procedure can exploit maximal diversity by considering 
only interpretations that assign distinct values to the vf t , . . . , vf n . More precisely, we need only 
consider interpretations that are diverse for these variables when deciding the validity of F. This 
property holds even if the variables vf 1 , . . . , vf n are not classified as p-function symbols in F*. 

For example, consider the formula created by eliminating function symbol g from F cg , shown in the 
middle of Figure |]. By using an interpretation I* that assigns distinct values 1, 2, and 3 to variables 
vg x , vg 2 , and vg 3 we generate distinct values for the terms U\, U 2 , and U 3 (Equation Q), except 
when there are matches between the arguments x, y, and vg 1 . On the other hand, our encoding 
still considers the possibility that the arguments to the different applications of g may match under 
some interpretations, in which case the function results should match as well. Observe that the 
equations x—vg 1 and y=vg 1 control ITEs in the transformed formula. Nonetheless, we will show 
that we can prove universal validity by considering only diverse interpretations of vg v 

To show this formally, consider the effect of replacing all instances of a function symbol / in 
a formula G by nested ITE terms, as described earlier, yielding a formula G with new domain 
variables vf 1 , . . . , vf n . We first show that when we generate these variables while eliminating 
p-function applications, we can assume they have a diverse interpretation. 

Lemma 6 Let E be a subset of the symbols in G, and let G be the result of eliminating function 
symbol f from G by introducing new domain variables vf 1 , . . . , vf n . If f 6 E, then for any 
interpretation J that is diverse for G with respect to E, there is an interpretation J that is diverse 
for G with respect to E — {/} U {vf 1 , . . . , vf n } such that J[G] = J[G\. 

Proof: Given interpretation J defined over domain V, we define interpretation J over a domain 
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V = V U {z%, . . . , z n }. Each Zi is a unique value, i.e., ^ 7^ ^ for any i 7^ j, and z, ^ V. 

The proof of this lemma is based on a refinement of the proof of Lemma ^. Whereas the construc- 
tion in the earlier proof assigned arbitrary values to the new domain variables in some cases, we 
select an assignment that is diverse in these variables. As in the construction in the proof of Lemma 
|], we define J for any function or predicate symbol in G to be identical to that of J when the ar- 
guments are all elements of V. When some argument is not in V, we let the function (respectively, 
predicate) application yield an arbitrary domain (resp., truth) value. 

For domain variable vf t introduced when generating term Ui, we consider two cases. For the case 
where lmj(i) = i, we define J(vf \) = J\Ti\, i.e., the value of the i /-application term in G 
under J. For the case where lrrij(i) < i, we define J (vfj) = Zi. We saw in the proof of Lemma 
|] that we could assign arbitrary values in this latter case and still have J[G] = J[G]. In fact, for 
every subexpression E of G, we have that its counterpart E in G satisfies J[E] = J[E). 

We must show that J is diverse for G with respect to E — {/} U {vf ± , . . . , vf n }. We first observe 
that J is identical to J for all function application terms in G, and hence J must be diverse with 
respect to E for G. We also observe that J assigns to each variable vj i either a unique value z% or 
the value yielded by /-application term T { in G under J. 

Suppose there were distinct variables vf { and vfj such that J[vfj\ = J[vfj). This could occur only 
for the case that J(vf { ) = J[Tj] = J[Tj] = J (vfj). Since J is diverse, we can have J[Ti] = J[Tj] 
only if lmj(i) = lmj(j). We cannot have both lm,j(i) = i and lmj(j) = j, and hence either vf i 
or vfj would have been assigned unique value Zi or Zj, respectively. Thus, we can conclude that 

J[ v fi] ¥" J[ v fj] for distinct variables vf i and vfj. 

In addition, we must show that interpretation J does not create any matches between a new variable 
vfi and a function application term T in G that does not have / as the topmost function symbol. 
Since J is diverse with respect to S for G and / 6 E, any function application term T in G that 
does not have function symbol / as its topmost symbol must have J[T] ^ J[Tj] for all 1 < i < n. 
In addition, we have J[T] =£ Z{ for all 1 < i < n. Hence, we must have J[T] ^ J (vfi). □ 

We must also show that the variables introduced when eliminating g-function applications do not 
adversely affect the diversity of the other symbols. 

Lemma 7 Let S be a subset of the symbols in G, and let G be the result of eliminating function 
symbol f from G by introducing new domain variables vf ± ,..., vf n . If f $ S, then for any 
interpretation J that is diverse for G with respect to E, there is an interpretation J that is diverse 
for G with respect to E such that J[G] = J[G]. 

Proof: The proof of this lemma is based on a refinement of the proof of Lemma 0. Whereas the 
construction in the earlier proof assigned arbitrary values to some of the new domain variables, we 
select an assignment such that we do not inadvertently violate the diversity of the other function 
symbols. 
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We define J to be identical to J for any symbol occurring in G. For each domain variable vf i 
introduced when generating term Ui, we define J(vfj) = J[Ti}. This differs from the interpretation 
defined in the proof of Lemma |]only in giving fixed interpretations of domain variables that could 
otherwise be arbitrary, and hence we have have J[G] = J[G]. In fact, for every subexpression E 
of G, we have that its counterpart E in G satisfies J[E] = J[E\. 

We must show that J is diverse for G with respect to E. We first observe that J is identical 
to J for all function application terms in G, and hence J must be diverse for G with respect to 
E. We also observe that J assigns to each variable vf i the value of /-application term Tj. For 
term T having the application of function symbol g E E as the topmost operation, we must have 
J[T] = J[T] ^ J[Ti] = J [vfj]. Hence, we are assured that the values assigned to the new variables 
under J do not violate the diversity of the interpretations of the symbols in E. □ 

Suppose we apply the transformation process of Theorem ^| to a p-formula F to generate a formula 
F*, and that in this process, we introduce a set of new domain variables V to replace the applica- 
tions of the p-function symbols. Let S*(F) be the union of the set of domain variables in E P (F) 
and V. That is, E*(F) consists of those domain variables in the original formula F that were 
p-function symbols as well as the domain variables generated when replacing applications of p- 
function symbols. Let S*(F) be the domain variables in F* that are not in E*(F). These variables 
were either g-function symbols in F or were generated when replacing g-function applications. 

We observe that we can generate all maximally diverse interpretations of F by considering only 
interpretations of the variables in F* that assign distinct values to the variables in E*(F): 

Theorem 4 PEUF p-formula F is universally valid if and only if its translation F* is true for 
every interpretation I* that is diverse over E*(F). 

Proof: Only if: By Theorem J3L the universal validity of F implies that of F*, and hence it must be 
true for every interpretation. 

If: The proof in the other direction follows by inducting on the number of function and predicate 
symbols in F having nonzero order. For the induction step we use Lemma |5| when eliminating 
all applications of a p-function symbol, and Lemma [7| when eliminating all applications of a g- 
function symbol. When eliminating a predicate symbol, we do not introduce any new domain 
variables. □ 



4.3.1 Discussion 

Ackermann also describes a scheme for replacing function application terms by domain variables 



QAck54[ ] . His scheme simply replaces each instance of a function application by a newly-generated 
domain variable and then introduces constraints expressing functional consistency as antecedents 
to the modified formula. As an illustration, Figure ^| shows the result of applying his method to 
formula F cg of Equation |T|. First, we replace the three applications of function symbol g with new 
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domain variables vg t , vg 2 , and vg 3 . To maintain functional consistency we add constraints 

(x = y=> vg 1 = vg 2 ) A {x = vg 1 => V g 1 = vg 3 ) A (y = vg 1 => vg 2 = vg 3 ) 

as an antecedent to the modified g-formula. The result is shown in the middle of Figure 0, using 
Boolean connectives A, V, and -i rather than =>-. In this diagram, the three constraints listed above 
form the middle three arguments of the final disjunction. A similar process is used to replace the 
applications of function symbol h, adding a fourth constraint vg x = vg 2 A vg 3 = vg 3 =>- vh\ = vh 2 . 
The result is shown at the bottom of Figure Q 

There is no clear way to exploit the maximal diversity with this translated form. For example, if 
we consider only diverse interpretations of variables vg 1 , vg 2 , and vg 3 , we will fail to consider 
interpretations of the original g-formula for which x equals y. 

4.4 Using Fixed Interpretations of the Variables in S*(F) 

We can further simplify the task of determining universal validity by choosing particular domains 
of sufficient size and assigning fixed interpretations to the variables in £*(F). The next result 
follows from Theorem |J 

Corollary 1 Let V p and V g be disjoint subsets of domain V such that \V P \ > |E*(F) | and \V g \> 
|£*(F)|. Let a be any 1-1 mapping a: S*(F) — > T> p . PEUF p -formula F is universally valid if 
and only if its translation F* is true for every interpretation J* such that I*{v p ) = a(v p )for every 
variable v p G S*(F), and I*(v 9 ) G T> 9 for every variable v g G Tj*(F). 

Proof: Consider any interpretation J* of the variables in S*(F)US*(F) that is diverse over S*(F). 
We show that we can construct an isomorphic interpretation I* that satisfies the restrictions of the 
corollary. 

Let V' p (respectively, V) be the range of J* considering only variables in E*(F) (resp., E*(F)). 
The function J*: E*(F) — > V' p must be a bijection and hence have an inverse J*^ 1 : V' p — > E*(F). 
Furthermore, we must have \V\ < |E*(F)| < \T> g \. Let a p be the 1-1 mapping cr p :T) p — > V p 
defined for any z in V p , as o~ p (z) = a( J*^ 1 {z)). Let a g be an arbitrary 1-1 mapping a g : V' g — > V g . 
We now define /* such that for any variable v in S*(F) (respectively, E*(F)) we have I*(v) equal 
to a p (J*(v)) (resp., a g (J*(v))). Finally, for any propositional variable a, we let I* (a) equal J*(a). 

For any EUF formula, isomorphic interpretations will always yield identical valuations, giving 
F[F*] = J*[F*]. Hence the set of interpretations satisfying the restrictions of the corollary form 
a sufficient set to prove the universal validity of F*. □ 
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5 Reductions to Propositional Logic 

We present two different methods of translating a PEUF p-formula into a propositional formula 
that is tautological if and only if the original p-formula is universally valid. Both use the function 
and predicate elimination method described in the previous section so that the translation can be 
applied to a formula F* containing only domain and predicate variables. In addition, we assume 
that a subset of the domain variables S*(F) has been identified such that we need to encode only 
those interpretations that are diverse over these variables. 



5.1 Translation Based on Bit Vector Interpretations 

A formula such as F* containing only domain and propositional variables can readily be translated 
into one in propositional logic, using the set of bit vectors of some length k greater than or equal 
to log 2 m as the domain of interpretation for a formula containing m domain variables [ |VB98| ]. 
Domain variables are represented with vectors of propositional variables. In this formulation, we 
represent a domain variable as a vector of propositional variables, where truth value false encodes 
bit value 0, and truth value true encodes bit value 1 . In [ |VB98| ] we described an encoding scheme 
in which the i domain variable is encoded as a bit vector of the form (0, . . . , 0, a^-i, • • • , a«,o) 
where k = |~log 2 i\ , and each Ojj is a propositional variable. This scheme can be viewed as 
encoding interpretations of the domain variables over the integers where the i domain variable 
ranges over the set {0, . . . , i — 1} QPRSS99Q . That is, it may equal any of its predecessors, or it 
may be distinct. 



We then recursively translate F* using vectors of propositional formulas to represent terms. By 
this means we then reduce F* to a propositional formula that is tautological if and only if F*, and 
consequently the original EUF formula F, is universally valid. 

We can exploit positive equality by using fixed bit vectors, rather than vectors of propositional 
variables when encoding variables in E*(F). Furthermore, we can construct our bit encodings 
such that the vectors encoding variables in S*(F) never match the bit patterns encoding variables 
in S* (F) . As an illustration, consider formula F eg given by Equation [I] translated into formula F* 
as diagrammed at the bottom of Figure |]. We need encode only those interpretations of variables 
x, y, vg ± , vg 2 , vg 3 , vh\, and vh 2 that are diverse respect to the last five variables. Therefore, we 
can assign 3-bit encodings to the seven variables as follows: 



X 


(0,0,0) 


y 


(0,0,ai )0 ) 


»9i 


(0,1,0) 


vg 2 


(0,1,1) 


vg 3 


(1,0,0) 


vh\ 


(1,0,1) 


vh 2 


(1,1,0) 
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where oi .0 is a propositional variable. This encoding uses the same scheme as [ |VB98| ] for the 
variables in S*(F) but uses fixed bit patterns for the variables in E*(F). As a consequence, we 
require just a single propositional variable to encode formula F e * g . 

As a further refinement, we could apply methods devised by Pnueli et al. to reduce the size of the 
domains associated with each variable in E*(F) QPRSS99[ |. This will in turn allow us to reduce 
the number of propositional variables required to encode each domain variable in Y**(F). 



5.2 Translation Based on Pairwise Encodings of Term Equality 



Goel et al. QGSZAS9"8| ] describe a method for generating a propositional formula from an EUF 



formula, such that the propositional formula will be a tautology if and only if the EUF formula is 
universally valid. They first use Ackermann's method to eliminate function applications of nonzero 



order |TAck54f| . Then they introduce a propositional variable ey for each pair of domain variables 
V{ and Vj encoding the conditions under which the two variables have matching values. Finally, 
they generate a propositional formula in terms of the e^j variables. 

We provide a modified formulation of their approach that exploits the properties of p-formulas to 
encode only valuations under maximally diverse interpretations. As a consequence, we require e^- 
variables only to express equality among those domain variables that represent g-term values in 
the original p-formula. 

The propositional formula generated by either of these schemes does not enforce constraints among 
the e i: j variables due to the transitivity of equality, i.e., constraints of the form e iy j A e^ => e i: k- 
As a result, in attempting to prove the formula is a tautology, a false "counterexamples" may be 
generated. We return to this issue later in this section 



5.2.1 Construction of Propositional Formula 

Starting with p-formula F, we apply our method of eliminating function applications to give a 
formula F* containing only domain and propositional variables. The domain variables in F* are 
partitioned into sets E*(F), corresponding to p-function applications in F, and E*(F) correspond- 
ing to g-function applications in F. Let us identify the variables in S*(F) as {v\, . . . , vn}, and 
the variables in S*(F) as {fjv+i, ■ ■ ■ , vn+m}- We need encode only those interpretations that are 
diverse in this latter set of variables. 

For values of i and j such that 1 < i < j < N, define propositional variables e; j encoding the 
equality relation between variables Vi and Vj. We require these propositional variables only for 
indices less than or equal to N. Higher indices correspond to variables in E*(F), and we can 
assume for any such variable Vi that it will equal variable vj only when i = j. 

For each term T in F*, and each Vi with 1 < i < N + M, we generate formulas of the form 
encti(T) for l<i<iV+Mto encode the conditions under which the control g-formulas in 
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the ITEs, in term T will be set so that value of T becomes that of domain variable V{. In addition, 
for each g-formula G we define a propositional formula encf(G) giving the encoded form of G. 
These formulas are defined by mutual recursion. The base cases are: 



encf (true) 

enc/ (false) 

encf {a) 

encti(vi) 

enctjiyi) 



true 
false 

a, a is a propositional variable 

true 

false, For i ^ j 



For the logical connectives, we define encf in the obvious way: 

enc/(-iCri) = ->encf(Gi) 
encf{G\ A G 2 ) = encf(Gi) A encf(G 2 ) 
encf(G 1 VG 2 ) = encf (d) V encf \G 2 ) 



For ITE terms, we define end as: 

enct i (ITE(G,T 1 ,T 2 )) = encf{G)Aenct l {T l ) V -.erac/(G) A encU(T 2 ) 
For equations, we define encf(T\ =T 2 ) to be 
encf{T 1 = T 2 ) = \f encti(Ti)Aeuj-\Aenctj(T 2 ) V y enctiiTi) A encti{T 2 ) 

l<i,j<N N+l<i<N+M 

(6) 
where eu^i is defined for 1 < i, j < N as: 




e [i,j] = 

Informally, Equation ^ expresses the property that there are two ways for a pair of terms to be 
equal in an interpretation. The first way is if the two terms evaluate to the same variable, i.e., 
we have both encti(Ti) and encti(T 2 ) hold for some variable t>j. For 1 < i < N, the left hand 
part of Equation |^ will hold since er^i = true. For N + 1 < i < N, the right hand part of 
Equation ^| will hold. The second way is that two terms will be equal under some interpretation 
when they evaluate to two different variables v- t and Vj that have the same value. In this case we 
will have enctiiTi), enctj(T 2 ), and euj] hold, where 1 < i,j < N. Observe that Equation^ 
encodes only interpretations that are diverse over {^at+i, . . . , vn+m}- It makes use of the fact that 
when N+l<i<N + M, variable V{ will equal variable Vj only ifi — j. 

As an example, Figure [7] shows an encoding of formula F* given in Figure |], which was derived 
from the original formula F shown in Figure [3| The variables in S*(F*) are x and y. These are 
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[1:T] 
[2:T] 



y=> 



1.2 



[3:T] 






[4:T] 



-h 



e 



'1,2 



[3:« .4:^ 2 ] 




^e> 



+ 



T 



OSV 



[5:T] 



[5:T] 



[6:T] 



1,2 



X>, 



:e>- 



T 

JF 



[7:T] 



1.2 



[6:e 7:^e ] 



V l V 2 V 3 



V V 

4 ^5 



V V 

6 7 



Figure 7: Encoding Example Formula in Propositional Logic. Each term T is represented as a list 
giving the non-false values of encU(T). 

renamed as V\ and v 2 , giving N = 2. The variables in S*(F*) are vg 1 , vg 2 , vg 3 , vh±, and vh 2 . 
These are relabeled as v 3 through v 7 , giving M — 5. Each formula in the figure is annotated by 
a (simplified) propositional formula, while each term T is annotated by a list with entries of the 
form v. encti(T), for those entries such that encU(T) ^ false. We use the shorthand notation "T" 
for true and "F" for false. Our encoding introduces a single propositional variable e\ . 2 . It can 
be seen that our method encodes only the interpretations for F* labeled as Dl and D2 in Table 0. 
When e x 2 is false, we encode interpretation D2, in which x ^ y and every function application 
term yields a distinct value. When e X2 is true, we encode interpretation Dl, in which x = y and 
hence we have g(x) = g(y) and h(g(x),g(g(x))) = h(g(y),g(g(y))). 

In general, the final result of the recursive translation will be a propositional formula encf(F*). 
The variables in this formula consist of the propositional variables that occur in F* as well as 
a subset of the variables of the form e iy j. Nothing in this formula enforces the transitivity of 
equality. We will discuss in the next section how to impose transitivity constraints in a way that 
exploits the sparse structure of the equations. Other than transitivity, we claim that the translation 
encf(F*) captures validity of F*, and consequently the original p-formula F. For an interpretation 
J over a set of propositional variables, including variables of the form eij for 1 < i < j < N, 
we say that J obeys transitivity when for all i, j, and k such that 1 < i,j,k < N we have 
J[e[i,j]] A J[e m ] => J[e[i,k]]. 
To formalize the intuition behind the encoding, let I* be an interpretation of the variables in the 
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translated formula F*. For interpretation I*, define seli*(T) to be a function mapping each term 
T in F* to the index of the unique domain variable selected by the values of the ITE control g- 
formulas in T. That is, seli*(vi) = i, while seli*(ITE(G,Ti,T 2 )) is defined as se//*(Ti) when 
I*[G] = true and as se//.(T 2 ) when P[G] = false. 

Proposition 2 For all interpretations I* of the variables in F* and any term T occurring in F*, if 
seh*{T) = i, then I*[T] = I*( Vi ). 

Lemma 8 For any interpretation I* of the variables in F* that is diverse for T,*(F), there is an 
interpretation J of the variables in encf(F*) that obeys transitivity and such that J[encf (F*)] = 

I*[F*}. 

Proof: For each propositional variable a occurring in F*, we define J(a) = I* (a). For each pair 
of variables Vi and Vj such that 1 < i < j < N, we define J(eij) to be true iff I*(vi) = I*(vj). 
We can see that J must obey transitivity, because it is defined in terms of a transitive relation in I*. 

We prove the following hypothesis by induction on the expression depths: 

1. For every formula G in F*: J[encf(G)] = I*[G\. 

2. For every term T in F* and all i such that 1 < % < N + M; J[encU(T)] = true iff 
selj*(T) = i. 

The base cases hold as follows: 

1. Formulas of the form true, false, and a have encf(G) = G and J[G] = I*[G]. 

2. Term Vj has J[encti(vj)] = true iff j = i, and seli*(vj) = i iff j = i. 

Assuming the induction hypothesis holds for formulas Gi and G2, one can readily see that it will 
hold for formulas ->Gi, G\ A G2, and G\ V G2, by the definition of encf 

Assuming the induction hypothesis holds for formula G and for terms T\ and T 2 , consider term T 
of the form ITE(G, T u T 2 ). For the case where I*[G] = true, we have I*[T] = I*[Ti], and also 
seli*(T) = seli*(Ti). The induction hypotheses for T\ gives J[encU(T\)\ = true iff seli*(T\) = 
i. The induction hypothesis for G gives J[encf(G)} = I*[G] = true, and hence J[encti(T)] = 
J[encti(Ti)}. From all this, we can conclude that J[encti(T)] = true iff selj*(T) = i. A similar 
argument holds when I*[G] = false, but based on the induction hypothesis for T 2 . 

Finally, assuming the induction hypothesis holds for terms Xi and T 2 , consider the equation T\ = 
T 2 . Suppose that sdi*{T\) = i and seli*(T 2 ) = j. Our induction hypothesis for T\ and T 2 give 
J[encti(Ti)] = J[enctj(T 2 )} = true. Suppose either i > N or j > N. Then we will have 
I*(vi) = P(vj)iffi = j. In addition, the right hand part of Equation |^ will hold under J iff i = j. 
Otherwise, suppose that 1 < i,j < N. We will have I*(vi) = Fivf) iff J[erjji] = true. In 
addition, the left hand part of Equation ^| will hold under J iff Jferiji] = true □ 
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3.b 




3.b.i 




3.b.ii 



Figure 8: Case Analysis for Part 3b of Proof of Lemma §. Solid lines denote equalities, while 
dashed lines denote inequalities. 

Lemma 9 For every interpretation J of the variables in encf(F*) that obeys transitivity, there is 
an interpretation I* of the variables in F* such that I[F*} = J[encf(F*)]. 

Proof: We define interpretation I* over the domain of integers {1, . . . , N + M}. For propositional 
variable a, we define I* (a) = J (a). For 1 < j < N we let I*(i)j) be the minimum value of i such 
that J[eri ji] = true. For iV < j < N + M we let I*(vj) = j. Observe that this interpretation 
gives I*(vj) < j for all j < N, since ey = true, and I*(vj) = j for j > N. 

We claim that for i < N, if I*(vj) = i, then we must have I*(vi) = i as well. If instead we had 
I*(vi) = k < i, then we must have ./[er^j]] = true. Combining this with J[eivj-]] = true, the 
transitivity requirement would give ./[erfeji] = true, but this would imply that I*(vj) = k ^ i. 

We prove the following hypothesis by induction on the expression depths: 

1. For every formula G in F*: I*[G] = J[encf(G)]. 

2. For every term T in F* and all i such that 1 < i < N + M: sell* (T) = i iff J[encti(T)] = 
true. 

The base cases hold as follows: 

1. Formulas of the form true, false, and a have G = encf(G) and I*[G] = J[G\. 

2. Term Vj has seli*(vj) — i iff j — i and J[encti(vj)] = true iff j = i. 

Assuming the induction hypothesis holds for formula G and for terms T\ and T 2 , consider term 
T of the form ITE(G, Ti, T 2 ). For the case where J[encf(G)} = true, we have J[encti(T)] = 
J[encti(Ti)]. The induction hypothesis for T\ gives seh*(T\) = i iff J[encti(Ti)] = true. The 
induction hypothesis for G gives I*[G] = J[encf(G)} = true, giving I*[T] = I*[Ti], and also 
selj*(T) = selj*(Ti). Combining all his gives seli*(T) = i iff J[encti(T)] = true. A similar 
argument can be made when J[encf(G)] = false, but based on the induction hypothesis for T 2 . 

Finally, assuming the induction hypothesis holds for terms T\ and T 2 , consider the equation T\ = 
T 2 . Let i = seli*(Ti) and j = seli*(T 2 ). In addition, let k = I*(vi) and I = I*(vj). Our induction 
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hypothesis gives J[encti(Ti)] = true, and J[enctj(T 2 )} = true. Proposition |2| gives I*[Ti] = k 
and I*[T 2 ] = I. By our earlier argument, we must also have I*(i>fc) = k and I*(vi) = I. We 
consider different cases for the values of i, j, k, and I. 

1. Suppose i > N. Then we must have k = I*(vi) = i. Equation 2\ = T 2 will hold under I* 
iff I*(vj) = I = k, and this will hold iff j = I = k = i. In addition, the right hand part of 
Equation |^ will hold under J iff i = j. 

2. Suppose j > N. By an argument similar to the previous one, we will have equation 7\ = T 2 
holding under interpretation /* and Equation ^| holding under interpretation J iff i = j. 

3. Suppose 1 < i,j < N. Since I*(Vi) = k = I*{vk) we must have Jfer^ij] = true. Similarly, 
since I*(vj) = I = I*(vi) we must have Jfe^jj] = true. 

(a) Suppose k = I, and hence T\ = T 2 holds under I*. Then we have Jfer^w] = •/[erfeji] = 
true. Our transitivity requirement then gives J[eu A = true, and hence the left hand 
part of Equation ^| will hold under J. 

(b) Suppose k =£ I, and hence T\ = T 2 does not hold under I*. We must have J[e^/]] = 
false. This condition is illustrated in the left hand diagram of Figure |[ In this figure 
we use solid lines to denote equalities and dashed lines to denote inequalities. We argue 
that we must also have ./[er^]] = false by the following case analysis for erfcji: 

i. For ./[enfe ji] = true, we get the case diagrammed in the middle of Figure |8| where 
the diagonal line creates a triangle with just one dashed line (inequality). This 
represents a violation of our transitivity requirement, since it indicates J[erfcji] = 
J[e[jfl] = true, but J[e[ k ,i\] = false. 

ii. For J[eny]] = false and </[e[jj]] = true, we have the case diagrammed on the 
right side of Figure [8|. Again we have a triangle with just one dashed line indicating 
a violation of our transitivity requirement, with /[e^^j] = J[e[jj]] = true, but 

J i e [k,j}} = false - 

With Jfejjjj] = false, Equation || will not hold under J. 

From this case analysis we see that T\ = T 2 holds under I* iff Equation |^ holds under J. □ 

Theorem 5 p-formula F is universally valid iff its translation encf(F*) is true for all interpreta- 
tions that obey transitivity. 

Proof: This theorem follows directly from Lemmas |8| and ^[ □ 

We have thus reduced the task of proving that a PEUF p-formula is universally valid to one of prov- 
ing that a propositional formula is true under all interpretations that satisfy transitivity constraints. 
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This result is similar to that of Goel et ah, except that they potentially require a propositional vari- 
able for every pair of function application terms occurring in the original formula. In our case, we 
only introduce these variables for a subset of the pairs of g-function applications. For example, 
their method would require 8 variables to encode the transformed version of formula F cg shown in 
Figure |6|, whereas we require only one using either of our two encoding schemes. 

To complete the implementation of a decision procedure for PEUF, we must devise a procedure 
for the constrained Boolean satisfiability problem defined by Goel, et ah, as follows. We are given 
a Boolean formula F sa ^ over a set of propositional variables. A subset of the variables are of the 
form e i; j, where 1 < i < j < N. A transitivity constraint is a formula of the form 

e [«i,«2] A e [i2,i-i] A • • • A ^[i k _ 1 ,i k ] =?" e [ii,ifc] 

where euji equals e it j when i < j and equals e 3 - yi when i > j. The task is to find a truth assignment 
that satisfies -F sa t, as well as every transitivity constraint. For PEUF p-formula F, if we can 
show that the g-formula ->encf(F*) has no satisfying assignment that also satisfies the transitivity 
constraints, then we have proved that F is universally valid. 

Goel, etal, have shown the constrained Boolean satisfiability problem is NP-hard, even when F sa ^ 
is represented as an OBDD. We have also studied this problem in the context of pipelined proces- 
sor verification QBV004 pV00b| ] . We have found that we can exploit the sparse structure of the 



6i j variables both when using OBDDs to perform the verification and when using Boolean satisfi- 
ability checkers. As a result, enforcing transitivity constraints has a relatively small impact on the 
performance of the decision procedure. In fact, many processors can be verified without consider- 
ing transitivity constraints — the formula ~^encf(F*) is unsatisfiable even disregarding transitivity 
constraints [ |VB99| ]. 



6 Modeling Microprocessors in PEUF 

Our interest is in verifying pipelined microprocessors, proving their equivalence to an unpipelined 
instruction set architecture model. We use the approach pioneered by Burch and Dill QBD94] ] in 
which the abstraction function from pipeline state to architectural state is computed by symboli- 
cally simulating a flushing of the pipeline state and then projecting away the state of all but the 
architectural state elements, such as the register file, program counter, and data memory. Opera- 
tionally, we construct two sets of p-terms describing the final values of the state elements resulting 
from two different symbolic simulation sequences — one from the pipeline model and one from 
the instruction set model. The correctness condition is represented by a p-formula expressing the 
equality of these two sets of p-terms. 

Our approach starts with an RTL or gate-level model of the microprocessor and performs a series 
of abstractions to create a model of the data path using terms that satisfy the restrictions of PEUF. 
Examining the structure of a pipelined processor, we find that the signals we wish to abstract as 
terms can be classified as follows: 
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Program Data: Values generated by the ALU and stored in registers and data memory. These 
are also used as addresses for the data memory. 

Register Identifiers: Used to index the register file 

Instruction Addresses: Used to designate which instructions to fetch 

Control values: Status flags, opcodes, and other signals modeled at the bit level. 

By proper construction of the data path model, both program data and instruction addresses can 
be represented as p-terms. Register identifiers, on the other hand, must be modeled as g-terms, 
because their comparisons control the stall and bypass logic. The remaining control logic is kept 
at the bit level. 

In order to generate such a model, we must abstract the operation of some of the processor units. 
For example, the data path ALU is abstracted as an uninterpreted p-function, generating a data 
value given its data and control inputs. Formally, this requires extending the syntax for function 
applications to allow both formula and term inputs. We model the PC incrementer and the branch 
target logic as uninterpreted functions generating instruction addresses. We model the branch 
decision logic as an uninterpreted predicate indicating whether or not to take the branch based 
on data and control inputs. This allows us to abstract away the data equality test used by the 
branch-on-equal instruction. 

To model the register file, we use the memory model described by Burch and Dill flBD94Q , creating 



a nested ITE structure to encode the effect of a read operation based on the history of writes to the 
memory. That is, suppose at some point we have performed k write operations with addresses 
given by terms A 1} . . . ,A k and data given by terms D±, . . . , D k . Then the effect of a read with 
address term A is a the term: 

ITE(A = A k ,D k ,ITE(A = A k _ u D k _ u ---ITE(A = A u D 1 J I (A))---)) (7) 

where // is an uninterpreted function expressing the initial memory state. Note that the presence 
of these comparison and ITE operations requires register identifiers to be modeled with g-terms. 

Since we view the instruction memory as being read-only, we can model the instruction memory 
as a collection of uninterpreted functions and predicates — each generating a different portion of 
the instruction field. Some of these will be p-functions (for generating immediate data), some will 
be g-functions (for generating register identifiers), and some will be predicates (for generating the 
different bits of the opcode). In practice, the interpretation of different portions of an instruction 
word depends on the instruction type, essentially forming a "tagged union" data type. Extract- 
ing and interpreting the different instruction fields during processor verification is an interesting 
research problem, but it lies outside the scope of this paper. 

The data memory provides a greater modeling challenge. Since the memory addresses are gen- 
erated by the ALU, they are considered program data, which we would like to model as p-terms. 
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However, using a memory model similar to that used for the register file requires comparisons 
between addresses and ITE operations having the comparison results as control. Instead, we must 
create a more abstract memory model that weakens the semantics of a true memory to satisfy the 
restrictions of PEUF. Our abstraction models a memory as a generic state machine, computing a 
new state for each write operation based on the input data, address, and current state. Rather than 
Equation [7], we would express the effect of a read with address term A after k write operations 
as f r (Sk, A), where f r is an uninterpreted "memory read" function, and Sk is a term representing 
the state of the memory after the k write operations. This term is defined recursively as 5 = sq, 
where s is a domain variable representing the initial state, and Si = f u {S>i-i, Mi A) for i > 1, 
where f u is an uninterpreted "memory update" function. In essence, we view write operations as 
making arbitrary changes to the entire memory state. 

This model removes some of the correlations guaranteed by the read operations of an actual mem- 
ory. For example, although it will yield identical operations for two successive read operations 
to the same address, it will indicate that possibly different result could be returned if these two 
reads are separated by a write, even to a different address. In addition, if we write data D to 
address A and then immediately read from this address, our model will not indicate that the re- 
sulting value must be D. Nonetheless, it can readily be seen that this abstraction is a conservative 
approximation of an actual memory. As long as the pipelined processor performs only the write 
operations indicated by the program, that it performs writes in program order, and that the ordering 
of reads relative to writes matches the program order, the two simulations will produce equal terms 
representing the final memory states. 

The remaining parts of the data path include comparators comparing for matching register identi- 
fiers to determine bypass and stall conditions, and multiplexors, modeled as ITE operations select- 
ing between alternate data and instruction address sources. Since register identifiers are modeled as 
g-terms, these comparison and control combinations obey the restrictions of PEUF. Finally, such 
operations as instruction decoding and pipeline control are modeled at the bit level using Boolean 
operations. 



7 Experimental Results 



In [ JVB98| ], we described the implementation of a symbolic simulator for verifying pipelined sys- 
tems using vectors of Boolean variables to encode domain variables, effectively treating all terms 
as g-terms. This simulation is performed directly on a modified gate-level representation of the 
processor. In this modified version, we replace all state holding elements (registers, memories, 
and latches) with behavioral models we call Efficient Memory Models (EMMs). In addition all 
data-transformation elements (e.g., ALUs, shifters, PC incrementers) are replaced by read-only 
EMMs, which effectively implement the transformation of function applications into nested ITE 
expressions described in Section pT2[ One interesting feature of this implementation is that our 
decision procedure is executed directly as part of the symbolic simulation. Whereas other im- 
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plementations, including Burch and Dill's, first generate a formula and then decide its validity, 
our implementation generates and manipulates bit- vector representations of terms as the symbolic 
simulation proceeds. Modifying this program to exploit positive equality simply involves having 
the EMMs generate expressions containing fixed bit patterns rather than vectors of Boolean vari- 
ables. All performance results presented here were measured on a 125 MHz Sun Microsystems 
SPARC-20. 



We constructed several simple pipeline processor design based on the MIPS instruction set [ ]KH92| ] . 



We abstract register identifiers as g-terms, and hence our verification covers all possible numbers 
of program registers including the 32 of the MIPS instruction set. The simplest version of the 
pipeline implements ten different Register-Register and Register- Immediate instructions. Our pro- 
gram could verify this design in 48 seconds of CPU time and just 7 MB of memory using vectors 
of Boolean variables to encode domain variables. Using fixed bit patterns reduces the complexity 
of the verification to 6 seconds and 2 MB. 

We then added a memory stage to implement load and store instructions. An interlock stalls the 
processor one cycle when a load instruction is followed by an instruction requiring the loaded 
result. Treating all terms as g-terms and using vectors of Boolean variables to encode domain 
variables, we could not verify even a 4-bit version of this data path (effectively reducing \V\ to 
16), despite running for over 2000 seconds. The fact that both addresses and data for the memory 
come from the register file induces a circular constraint on the ordering of BDD variables encoding 
the terms. On the other hand, exploiting positive equality by using fixed bit patterns for register 
values eliminates these variable ordering concerns. As a consequence, we could verify this design 
in just 12 CPU seconds using 1.8 MB. 

Finally, we verified a complete CPU, with a 5-stage pipeline implementing 10 ALU instructions, 
load and store, and MIPS instructions j (J um P with target computed from instruction word), jr 
(jump using register value as target), and beq (branch on equal). This design is comparable to the 
DLX design QHP96| ] verified by Burch and Dill in [ BD94J , although our version contains more of 



the implementation details. We were unable to verify this processor using the scheme of [ |VB980 . 



Having instruction addresses dependent on instruction or data values leads to exponential BDD 
growth when modeling the instruction memory. Modeling instruction addresses as p-terms, on the 
other hand, makes this verification tractable. We can verify the full, 32-bit version of the processor 
using 169 CPU seconds and 7.5 MB. 

More recently [ |VB99| ], we have implemented a new decision procedure using the pairwise encod- 
ing of term equality approach. Verifying a single-issue RISC pipeline with this decision procedure 
requires only a fraction of a CPU second. We have been able to verify a dual-issue pipeline with 
just 35 seconds of CPU time. By contrast, Burch QBur96| ] verified a somewhat simpler dual-issue 



processor only after devising 3 different commutative diagrams, providing 28 manual case splits, 
and using around 30 minutes of CPU time. Our results are far better than any others achieved to 
date. In more recent work [ |VB99| ], we have been able to add additional features to our pipeline 



model, including exception handling, multicycle instructions, and branch prediction. By using 
appropriate abstractions, most of this complexity comes can be expressed by p-function applica- 
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tions and by predicate applications. We have also been able to verify models of VLIW processors 
QVelOO[ ]. These models are far more beyond the capability of any other automated tool for verifying 
pipelined microprocessors. Having a decision procedure that exploits positive equality is critical 
to the success of this verifier. 



8 Conclusions 

Eliminating Boolean variables in the encoding of terms representing program data and instruction 
addresses has given us a major breakthrough in our ability to verify pipelined processors. Our BDD 
variables now encode only control conditions and register identifiers. For classic RISC pipelines, 
the resulting state space is small and regular enough to be handled readily with BDDs. 

We believe that there are many optimizations that will yield further improvements in the perfor- 
mance of Boolean methods for deciding formulas involving uninterpreted functions. We have 
found that relaxing functional consistency constraints to allow independent functionality of dif- 
ferent instructions, as was done in QDPR98Q, can dramatically improve both memory and time 



performance. We look forward to testing our scheme for generating a propositional formula using 
Boolean variables to encode the relations between terms. Our method exploits positive equality 
to greatly reduce the number of propositional variables in the generated formula, as well as the 
number of functional consistency and transitivity constraints. We are also considering the use of 
satisfiability checkers rather than BDDs for performing our tautology checking 

We consider pipelined processor verification to be a "grand challenge" problem for formal veri- 
fication. We have found that complexity grows rapidly as we move to more complex pipelines, 
including ones with out-of-order execution and register renaming. Further breakthroughs will be 
required before we can handle complete models of state-of-the art processors. 
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